VPN appears to connect but no traffic
-
Fairly new to pfSense. I'm attempting to make a IPSEC connection to a Fortigate router that is managed by a 3rd party.
The pfSense system is behind NAT (ESP protocol is configured) on a VM with its LAN on 10.3.0.0/24.
The remote Fortigate's LAN is 10.0.0.0/24.
The P1 and P2 connections appear to show connection established. However I don't see a route to 10.0.0.0/24 in the routing table of the pfSense system despite having that destination LAN declared in the P2 settings. If I try a traceroute to 10.0.0.60 (a machine I know is there) the traffic appears to go out over the WAN interface rather than being directed over the VPN.
I saw a similar post to this one where the fix was sorting out the P2 settings. But I don't think that's the issue here.
Any suggestions for how I go about diagnosing this?
Many thanks
Ken
-
@kens I should say the pfSense system is 2.5.2
I can change the pfSense system to be on a public IP if that would help
-
Is this the first IPsec connection on this firewall? If so, do you have rules in place under IPsec to allow traffic over IPsec?
If it is going out over the WAN, I would still be inclined to check the P1 and P2 settings. If the P2 is established correctly, PFsense should route it automatically.
Are you using the 10.0.0.0/24 elsewhere in the system?
-
@kens When the connection attempt is made, can you see the traffic using the pfTop tool in pfSense?
-
Thank you for all the responses. It turned to be firewall policies at the 3rd party Fortigate that needed attention.
I case any one reads this in future. This configuration has several Phase 2 entries for different subnets. To make it work the setting "Split Connections" needed enabled in the Phase 1 configuration.
-
@kens said in VPN appears to connect but no traffic:
Split Connections
Do you refer to "Split Connections" in the 3rd party firewall or in your pfSense? I have search in the setup of Phase 1 in my pfSense 2.5.2 fw, but I have not found this parameter.
-
@alejjime Its on the pfSense toward the bottom of the Phase 1 page. :-)