Tunnel established but no traffic passes
-
I just configured a pfsense - to - pfsense IPSec tunnel. I am able to get the link to authenticate and establish a tunnel but I am not able to get any packets to traverse the network. I've only tried pings and ssh, but nothing is visible from either end to the other.
I have check IPSec, System and Firewall logs and there is nothing logged that indicates any problems. Firewall logs show nothing regarding the IP's involved, IPSec logs no errors, and system logs shows no activity either.
So I'm feeling like there must be something very basic that I am overlooking, not seeing or failed to configure. Can anyone shed some light on this problem?
Both systems are 1.2-RELEASE.
Here is some data on the topography as shown in IPSec SPD, I have sanitized public IP's
Source Destination Direction Protocol Tunnel endpoints
10.2.200.0/24 192.168.1.0/24 –> ESP x.x.xx.131 - xx.xxx.xx.110
192.168.1.0/24 10.2.200.0/24 <-- ESP xx.xxx.xx.110 - x.x.xx.131Here's the security Association under IPSec SA
**Source Destination Protocol SPI Enc. alg. Auth. alg. **
xx.xxx.xx.110 x.x.xx.131 ESP 040acbd8 aes-cbc hmac-md5
x.x.xx.131 xx.xxx.xx.110 ESP 058402f0 aes-cbc hmac-md5Thanks all
-
Did you go to firewall, rules, IPsec and create rules to allow your traffic?
-
Nope. And that was the kind of silly thing I was hoping I overlooked!
Thanks so much.
-
I would like to be even more silly… :P
I have the exact same problem. If I click on Firewall -> Rules, and then click on the + to add a new rule, what do I need to do in order to allow IPSEC traffic through?
Thanks,
-John -
The IPsec traffic is passed 'behind the scenes', so you don't need to do anything on the WAN side.
The tunnel itself is comparable to a physical interface, so you need to create rules to pass the traffic you need between sites. If it's a simple branch office you can go the insecure route and create an allow any protocol, any souce, any destination rule. You probably want to only allow access to specific machines/services though. -
I added this firewall rule to pfSense:
proto: *
src: *
port: *
dest: *
gateway: *And still can not get traffic to go through. A tracert on the server behind pfSense can not get to the server behind the FortiGate 300A. All I see is * * * Request timed out. On the server behind the FGT, if I do a tracert to the server behind the pfSense, traffic still goes out our main interface, instead of the interrface that is directly connected to the pfSense box. I tried adding a static route on the FGT but must be doing it wrong.
Does anyone have IPSEC running between pfSense and a Fortigate?
Thanks,
-John -
I have this working one way now. The server from behind the pfSense box can map drives, copy files, remote desktop to a server behind the Fortigate. So if that server initiaites the connection everything works. However, if the server from behind the FortiGate trys to initiate a connection it does not work.
By looking at a tracert, it appears that once the packet gets to the Fortigate, it does not know where to go. I just get "Request timed out".
I think it is a Fortigate routing issue and I am going to keep fiddling with it. ???
-John