Something not quite right about IPsec…
-
Here is the setup:
192.168.102.0/24 <-> Pfsense1 (84.83.82.81) <-> INET <-> (20.21.22.23) Pfsense2 <-> 192.168.1.0/24
I have setup the IPsec tunnels on both ends, IPsec status shows the appropriate entries as expected.
Pfsense1 can ping the 192.168.1.0/24 network from its LAN interface.
Pfsense2 can ping the 192.168.102.0/24 network from its LAN interface.This suggests that the tunnel is established, up and running. However, when hosts on the 192.168.1.0/24 network try and ping hosts on the 192.168.102.0/24 network the ping times out.
When I try a traceroute from the 192.168.1.0/24 network, traffic leaves the WAN interface of Pfsense2 and starts hitting ISP routers to a certain point before timing out / getting blocked. Surely traffic destined for that network should be encrypted and therefore we should only see one hop before getting to the 192.168.102.0/24 network (pfsense2 LAN address).
Any input would be greatly appreciated.
Thanks
-
Are you using multiwan/loadbalancing? If yes you need some rules on top of your multiwanrules to exclude the ipsec destination subnets from the loadbalancing.
-
We are making use of multi-wan. That fixed my problem. Thanks :)
-
Good guess ;D