Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    I can ping both directions but only access servers one way...?

    Scheduled Pinned Locked Moved IPsec
    18 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Gblenn @viragomann
      last edited by

      @viragomann Yes, site C being the pfsense side, the only thing to do there is to set the static route 172.168.1.0/24 to the IPSecVTI Gateway that was automagically created.

      32c84c45-f5fb-44aa-acc1-84269e7a8809-image.png

      On Sophos it looks pretty similar and it's been quite obvious when setting this up a few times that whenever I forgot this part, I don't get near where I am now...

      G 1 Reply Last reply Reply Quote 0
      • G
        Gblenn @Gblenn
        last edited by

        I have been trying to go through the logs in Sophos as well and everything I can find on that side shows green as in all packets are passed by the correct fw and nat rules for this.

        G 1 Reply Last reply Reply Quote 0
        • G
          Gblenn @Gblenn
          last edited by

          When trying to log in via SSH on a Linux machine on Site C , I get the following...
          Simlar to before but it looks like there is a response initally from 192.168.1.31?

          cadb9ec4-5d8f-45ea-a4be-6f9971facb9a-image.png

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @Gblenn
            last edited by viragomann

            @Gblenn
            So even if the destination machine was sending an ACK, the SYN packet is re-transmitted.

            I'd suspect, that the ACK packet does not arrive at the machine, which initiated the connection. But why?

            BTW: I noticed, that the LAN at A is a public network range.
            However, this shouldn't matter if the routes are added properly.

            G 1 Reply Last reply Reply Quote 0
            • G
              Gblenn @viragomann
              last edited by Gblenn

              @viragomann said in I can ping both directions but only access servers one way...?:

              @Gblenn
              So even if the destination machine was sending an ACK, the SYN packet is re-transmitted.

              It appears that way doesn't it... however having run the same test again several times I don't see the ACK coming back. So perhaps it was an anomaly?

              I'd suspect, that the ACK packet does not arrive at the machine, which initiated the connection. But why?

              BTW: I noticed, that the LAN at A is a public network range.
              However, this shouldn't matter if the routes are added properly.

              Ah you are right, it is in the public IP range... I made the simplest possible change from 192 to 172 and I should have changed to 16 as well. But I don't suppose pfsense would care? And it's working towards site B anyway...

              I started thinking there was some sync issue since site A and C are connected via a switch. Site A is for testing purposes at the moment. But latency is below 1 ms when pinging between them. So I added a limiter in order to add a bit of latency to get it closer to what I have between the other sites, but that doesn't seem to change things.

              G 1 Reply Last reply Reply Quote 0
              • G
                Gblenn @Gblenn
                last edited by

                I have sort of given up on getting this to work, for now at least. Ended up deploying Wireguard on a VM on the Sophos LAN and have a connection going that way instead...

                G 1 Reply Last reply Reply Quote 0
                • G
                  Gblenn @Gblenn
                  last edited by Gblenn

                  @viragomann
                  So this is definitely a 24.03 thing since a change to 2.7.2 solved the issue immediately... No change in the configuration on either side, just a switch to CE.
                  And I guess I have to see if the patches I just found out about for IPsec VTI will fix the issue.

                  G 1 Reply Last reply Reply Quote 0
                  • G
                    Gblenn @Gblenn
                    last edited by

                    And now it's working also on 24.03 after implementing patches for Redmine #15449, #15430 and #15606...

                    V 1 Reply Last reply Reply Quote 0
                    • V
                      viragomann @Gblenn
                      last edited by

                      @Gblenn
                      Great info. Thanks.
                      I never had this issue, even running multiple IPSec site-to-site connections to other routers than pfSense and didn't apply IPSec patches.

                      G 1 Reply Last reply Reply Quote 0
                      • G
                        Gblenn @viragomann
                        last edited by

                        @viragomann Well, first time I have used IPSec since Sophos doesn't do WG...

                        One thing to note though, this is Routed VTI connection, which is different from "Tunnel IPv4" that you have as default Mode in pfsense...

                        V 1 Reply Last reply Reply Quote 0
                        • V
                          viragomann @Gblenn
                          last edited by

                          @Gblenn
                          Ah ya, you mentioned above.
                          I never set up a VTI to be honest, I just have some small knowledge about from the docs.

                          G 1 Reply Last reply Reply Quote 0
                          • G
                            Gblenn @viragomann
                            last edited by

                            @viragomann Well, since I couldn't get the default one to work, I tried VTI and it worked. Not sure what I did wrong with the other method but I did find VTI a bit more like the WG tunnels I have set up in the past. With the gateway and routing settings at least...

                            1 Reply Last reply Reply Quote 0
                            • G Gblenn referenced this topic on
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.