Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ipsec between 2 sites

    IPsec
    2
    4
    5.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Aderium
      last edited by

      Hi there,

      I am noy understanding how this happens but I though that when u created a IPSEC VPN connection between 2 PFSENSE beta 3 boxes all traffic is routed.
      Box A 192.168.2.0/24  PFSENSE is 1925.168.2.1
      Box B 192.168.3.0/24  PFSENSE is 1925.168.3.1

      From pfsense interface I can Ping Lan 192.168.3.1 and the ping comes back succesfull but if I try to ping from any other machine in my Box A network to that same aadress i cant get through and I in the firewall logs I see the default rule bloking the ping.

      Are the rules controlling the ports between ISEC connections ?

      Thanks

      Anthony Palermo

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        Rules are applied on incoming connections. IPSEC however is not filterable, so the only way you can get a block for this traffic is by a rule at the  LAN side where the traffic is entering the pf'Sense to be send out via IPSEC. Check your rules. Did you allow the ICMP protocol?

        1 Reply Last reply Reply Quote 0
        • A
          Aderium
          last edited by

          Uhmm. I read your statement 3 times & I am not quite sure I understand it.

          "Rules are applied on incoming connections."

          Can we expand on this one ? I have a rule in Box A in the Lan section that says only ICMP within the LAN Subnet. I have a IPSEC tunnel between Box A & Box B. I Ping from Box A to Box B. Ping refused because of the Lan rules. In Box B I have default Lan rules so if I ping to A it works.
          Got It.

          So in the Lan I should give the OK for ICMP to both subnets, not only the LAN one, I guess by creating an Alias of subnets.

          So basically IPSEC follows the rules of the LAN rules x site instead of having its own rule set.

          Anthony Palermo

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            LAN A–-----------------LAN/pfSenseA/IPSEC-----------------------IPSEC/pfSenseB/LAN---------------LAN B

            Don't get confused that it looks like a seperate Interface up there. IPSEC is completely transparent between the two pfSenses once established, it doesn't cross the WAN interfaces even (seen from the packetfilters view).

            As I said you only can control incoming connections on an interface. So the rules at the LAN interface of pfSenseA determines what can move over the IPSEC to pfSenseB. pfSenseB can't block connections incoming over IPSEC as it's not an interface seen by the packet filter. The same applies for the other direction. Rules at LAN interface of pfSenseB can pass/block traffic going through the IPSEC to pfSenseA only.

            I hope this makes it a bit more clear.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post