• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Site to Site VPN - Established and 'Installed'/Connected

Scheduled Pinned Locked Moved IPsec
4 Posts 2 Posters 995 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    Alasdair
    last edited by Alasdair Mar 17, 2023, 6:45 PM Mar 17, 2023, 6:45 PM

    I am having an issue with my IPsec Site to Site VPN. The connection Establishes and shows as 'Installed' (which I assume is 'Connected'), however, I am not able to ping/communicate with the other site. I have the latest version of pfSense at both ends (2.6.0). Each pfSense box has a /29 block of Failover IP's, however, IPsec is using the standard WAN interface.

    I have followed the official NetGate/pfsense documentation on setting up an IPsec Site to Site VPN with a Pre-shared Key. DPD is enabled.

    The SAD's are matching on both ends.

    I am allowing 500 and 4500 UDP on the WAN interfaces on both ends and have 'Allow All' and 'Any' (for testing) on the IPsec interfaces in the Firewall settings.

    IPsec Status on the Initiator side:

    e8746c0f-7ef8-43db-b1f2-66760293884d-image.png

    I have enabled logging on all of the IPsec related rules, however, I am seeing absolutely no traffic being passed either on the WAN interface, or the IPsec interfaces, both ends.

    This is the output of ipsec statusall.

    a4326699-049c-4085-8cf7-2156998ab027-image.png

    EDIT: Just to follow up... I have rebooted... many times.

    A 1 Reply Last reply Mar 17, 2023, 6:48 PM Reply Quote 0
    • A
      Alasdair @Alasdair
      last edited by Alasdair Mar 17, 2023, 7:12 PM Mar 17, 2023, 6:48 PM

      @alasdair

      Following up with my P1 and P2 from both ends.

      fce1d18a-561d-4540-abd4-1026c15cda23-image.png

      IPsec service system logs (Left - Initiator | Right - Responder):

      8efc218a-9310-4205-b21b-40f91138421c-image.png

      Firewall > IPsec (Left - Initiator | Right - Responder):

      ea2d194b-12d1-4ebf-ba40-3c1687acdaf9-image.png

      Firewall > WAN_UPLINK (Left - Initiator | Right - Responder):

      338018a4-3323-4fb5-9314-34df53cf489a-image.png

      NAT Rules:

      4e081829-75ef-47f1-b5f8-98511b51da07-image.png

      Initiator Outbound NAT rule:

      dd75bb08-2cf1-4827-994c-166f1d2bf002-image.png

      Responder Outbound NAT rule:

      0575c9e6-1bd7-4367-967f-cbafe0f3cadf-image.png

      K 1 Reply Last reply Mar 18, 2023, 4:45 AM Reply Quote 0
      • K
        Konstanti @Alasdair
        last edited by Konstanti Mar 18, 2023, 4:59 AM Mar 18, 2023, 4:45 AM

        @alasdair

        Hi
        The screenshots show that for some reason traffic does not get into the tunnel ( from both sides ) . The traffic counters are 0.

        To begin with , if I were you , I would check the rules on the Lan interface that
        1 on the initiator's side - traffic is allowed for the network 10.2.1.0/29
        2 on the responder's side - traffic is allowed for the network 10.0.1.0/29

        It should also be remembered that traffic from hosts will get into the tunnel
        10.0.1.1 -10.0.1.6
        10.2.1.1 - 10.2.1.6

        and I also don't understand the Nat settings (in my opinion, in the case of an Ipsec tunnel, such settings are not needed for Nat Outbound)

        A 1 Reply Last reply Mar 19, 2023, 2:02 PM Reply Quote 0
        • A
          Alasdair @Konstanti
          last edited by Mar 19, 2023, 2:02 PM

          @konstanti Hi, thanks for coming back to me.

          I have an Network Alias with all of my subnets, on both sides, attached to the Alias.

          I have Allow All for the alias networks.

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received