IPSEC VPN Passes traffic out but not in

theshao

I've got an IPSEC site-to-site VPN set up, with both P1 and P2 connected fine.
If I ping from the pfsense site to the remote site, the "Packets out" count on the P2 increments as expected.
Wireshark on the remote host sees the incoming ping, and the host sends a reply, also visible in Wireshark.
The firewall at the remote site logs the return packet going out over the IPSEC tunnel, so packets in and packets out match, as I'd expect for one site pinging the other.
PFSense never logs the returned packet under the P2 section of IPSEC status, nor can I find this packet logged in the firewall log.

What might be happening to these packets, and where should I be looking for more information? I have an allow all IPSEC rule, and this works OK as I have another site-to-site IPSEC on the same pfSense and this one passes packets as expected.

Thanks for any suggestions!

theshao

This post is deleted!

theshao

Log entries on the pfSense, showing it's clearly getting the Ping response back; I'm just not sure how to find out what it's doing with it after that. I've removed a few repetetive entries but nothing that seems pertinent.

May 4 14:57:21	charon	46137	16[JOB] got event, queuing job for execution
May 4 14:57:21	charon	46137	16[JOB] next event in 88ms, waiting
May 4 14:57:21	charon	46137	16[JOB] got event, queuing job for execution
May 4 14:57:21	charon	46137	16[JOB] next event in 5s 890ms, waiting
May 4 14:57:21	charon	46137	09[IKE] <con2|12> sending DPD request
May 4 14:57:21	charon	46137	09[IKE] <con2|12> queueing IKE_DPD task
May 4 14:57:21	charon	46137	09[IKE] <con2|12> activating new tasks
May 4 14:57:21	charon	46137	09[IKE] <con2|12> activating IKE_DPD task
May 4 14:57:21	charon	46137	16[JOB] next event in 5s 890ms, waiting
May 4 14:57:21	charon	46137	09[ENC] <con2|12> order payloads in message
May 4 14:57:21	charon	46137	09[ENC] <con2|12> generating INFORMATIONAL request 1585 [ ]
May 4 14:57:21	charon	46137	09[ENC] <con2|12> generating payload of type HEADER
May 4 14:57:21	charon	46137	09[ENC] <con2|12> generating ENCRYPTED payload finished
May 4 14:57:21	charon	46137	09[NET] <con2|12> sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (80 bytes)
May 4 14:57:21	charon	46137	04[NET] sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500]
May 4 14:57:21	charon	46137	16[JOB] next event in 3s 999ms, waiting
May 4 14:57:21	charon	46137	02[NET] received packet => 80 bytes @ 0x7fffdfdfa5f0
May 4 14:57:21	charon	46137	02[NET] received packet: from Y.Y.Y.Y[500] to X.X.X.X[500]
May 4 14:57:21	charon	46137	02[ENC] parsing header of message
May 4 14:57:21	charon	46137	02[ENC] parsed a INFORMATIONAL response header
May 4 14:57:21	charon	46137	02[NET] waiting for data on sockets
May 4 14:57:21	charon	46137	09[NET] <con2|12> received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (80 bytes)
May 4 14:57:21	charon	46137	09[ENC] <con2|12> parsing body of message, first payload is ENCRYPTED
May 4 14:57:21	charon	46137	09[ENC] <con2|12> starting parsing a ENCRYPTED payload
May 4 14:57:21	charon	46137	09[ENC] <con2|12> parsing ENCRYPTED payload, 52 bytes left
May 4 14:57:21	charon	46137	09[ENC] <con2|12> parsing ENCRYPTED payload finished
May 4 14:57:21	charon	46137	09[ENC] <con2|12> verifying payload of type ENCRYPTED
May 4 14:57:21	charon	46137	09[ENC] <con2|12> ENCRYPTED payload verified, adding to payload list
May 4 14:57:21	charon	46137	09[ENC] <con2|12> ENCRYPTED payload found, stop parsing
May 4 14:57:21	charon	46137	09[ENC] <con2|12> process payload of type ENCRYPTED
May 4 14:57:21	charon	46137	09[ENC] <con2|12> found an encrypted payload
May 4 14:57:21	charon	46137	09[ENC] <con2|12> parsed content of encrypted payload
May 4 14:57:21	charon	46137	09[ENC] <con2|12> verifying message structure
May 4 14:57:21	charon	46137	09[ENC] <con2|12> parsed INFORMATIONAL response 1585 [ ]
May 4 14:57:21	charon	46137	09[IKE] <con2|12> activating new tasks
May 4 14:57:21	charon	46137	09[IKE] <con2|12> nothing to initiate