IPSec VTI - can ping from pfSense but not from LAN computer
-
@mclaborn I strongly believe you are missing PBR rule(s).
-
@gabacho4 Missing PBR was the problem, thank you.
Weird though - I modeled this new VPN after an existing one that is working correctly and the existing one does not have any PBR.
-
@mclaborn glad it’s working now. Don’t see how the other could possibly be working without PBR if it is a VTI IPSec setup. That’s the whole point of VTI. If it’s a traditional policy-based IPSec connection (tunnel mode for the P2) then yes, you don’t need the PBR because the policy creates those routes.
-
@gabacho4 I don't understand either. The one that is working without PBR does have static routes defined (on the local end).
-
@mclaborn is the vti gateway set as the default for your network?
-
@mclaborn said in IPSec VTI - can ping from pfSense but not from LAN computer:
I don't understand either. The one that is working without PBR does have static routes defined (on the local end).
I had a ticket last night from someone that had a PBR and a VTI and he couldn't get anything going because the pings were hitting the PBR rule and pushing it out.
Our solution was to disable the PBR to verify, but then I suggested he set up a rule that takes all non-RFC1918 addresses and PBR that out his WAN2 instead. He'll likely go that route in the end but it was a definite learning experience for both of us.
Ryan
Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
Requesting firmware for your Netgate device? https://go.netgate.com
Switching: Mikrotik, Netgear, Extreme
Wireless: Aruba, Ubiquiti -
@gabacho4 No
-
@rcoleman-netgate That's just as strange as mine. It feels like there is something flaky going on here with routing and VTI. I'm willing to dig into it more if you want to try to figure it out.
-
@mclaborn Do packet captures... first on the interface it comes in on, then on the one it should go out on, then on the rest... that's how we confirmed it was a PBR that was passing his ICMP for the VTI destination out through WAN2.
Ryan
Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
Requesting firmware for your Netgate device? https://go.netgate.com
Switching: Mikrotik, Netgear, Extreme
Wireless: Aruba, Ubiquiti -
@rcoleman-netgate I did that already as I was trying to figure it out. Doing a ping from a computer on the LAN to an address on the other side of the VPN, before adding PBR:
- packet capture on LAN shows ping outgoing but no reply
- packet capture on VTI does not show anything
- packet capture on WAN shows ping outgoing but no reply
-
@mclaborn Ok from there Id check the Routes table, I'd check all your firewall rules, and I'd run a tracert to see if if it going somewhere funky.
Also check your Outbound NAT rules to see if there's a redirect there, too, or maybe you have a 1:1 that is translating the IP to something else.
