Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site to Site VPN - Established and 'Installed'/Connected

    Scheduled Pinned Locked Moved
    IPsec
    2
    4
    796
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Alasdair
      last edited by Alasdair

      I am having an issue with my IPsec Site to Site VPN. The connection Establishes and shows as 'Installed' (which I assume is 'Connected'), however, I am not able to ping/communicate with the other site. I have the latest version of pfSense at both ends (2.6.0). Each pfSense box has a /29 block of Failover IP's, however, IPsec is using the standard WAN interface.

      I have followed the official NetGate/pfsense documentation on setting up an IPsec Site to Site VPN with a Pre-shared Key. DPD is enabled.

      The SAD's are matching on both ends.

      I am allowing 500 and 4500 UDP on the WAN interfaces on both ends and have 'Allow All' and 'Any' (for testing) on the IPsec interfaces in the Firewall settings.

      IPsec Status on the Initiator side:

      e8746c0f-7ef8-43db-b1f2-66760293884d-image.png

      I have enabled logging on all of the IPsec related rules, however, I am seeing absolutely no traffic being passed either on the WAN interface, or the IPsec interfaces, both ends.

      This is the output of ipsec statusall.

      a4326699-049c-4085-8cf7-2156998ab027-image.png

      EDIT: Just to follow up... I have rebooted... many times.

      A 1 Reply Last reply Reply Quote 0
      • A
        Alasdair @Alasdair
        last edited by Alasdair

        @alasdair

        Following up with my P1 and P2 from both ends.

        fce1d18a-561d-4540-abd4-1026c15cda23-image.png

        IPsec service system logs (Left - Initiator | Right - Responder):

        8efc218a-9310-4205-b21b-40f91138421c-image.png

        Firewall > IPsec (Left - Initiator | Right - Responder):

        ea2d194b-12d1-4ebf-ba40-3c1687acdaf9-image.png

        Firewall > WAN_UPLINK (Left - Initiator | Right - Responder):

        338018a4-3323-4fb5-9314-34df53cf489a-image.png

        NAT Rules:

        4e081829-75ef-47f1-b5f8-98511b51da07-image.png

        Initiator Outbound NAT rule:

        dd75bb08-2cf1-4827-994c-166f1d2bf002-image.png

        Responder Outbound NAT rule:

        0575c9e6-1bd7-4367-967f-cbafe0f3cadf-image.png

        K 1 Reply Last reply Reply Quote 0
        • K
          Konstanti @Alasdair
          last edited by Konstanti

          @alasdair

          Hi
          The screenshots show that for some reason traffic does not get into the tunnel ( from both sides ) . The traffic counters are 0.

          To begin with , if I were you , I would check the rules on the Lan interface that
          1 on the initiator's side - traffic is allowed for the network 10.2.1.0/29
          2 on the responder's side - traffic is allowed for the network 10.0.1.0/29

          It should also be remembered that traffic from hosts will get into the tunnel
          10.0.1.1 -10.0.1.6
          10.2.1.1 - 10.2.1.6

          and I also don't understand the Nat settings (in my opinion, in the case of an Ipsec tunnel, such settings are not needed for Nat Outbound)

          A 1 Reply Last reply Reply Quote 0
          • A
            Alasdair @Konstanti
            last edited by

            @konstanti Hi, thanks for coming back to me.

            I have an Network Alias with all of my subnets, on both sides, attached to the Alias.

            I have Allow All for the alias networks.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post