Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1.2.3 RC3 - IPSEC works for clients, pf box unable to ping other end of tunnel

    Scheduled Pinned Locked Moved 1.2.3-PRERELEASE-TESTING snapshots - RETIRED
    3 Posts 2 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      darkpixel
      last edited by

      I have a fairly simple setup.
      Main office has a SonicWALL (10.1.1.254/24)
      Satellite office has a newly installed pfSense box (10.5.10.254/24)

      I set the pfSense box up in place of an old SonicWALL.  Everything is working normally.  Clients on both networks can communicate without problems.

      The strange thing I am seeing is that the pfSense box (10.5.10.254) can't talk to anything in 10.1.1.0/24.

      Looking at the routing table on the pfsense box, I don't see anything for 10.1.1.0/24 even though clients are able to access resources in 10.1.1.0/24

      This is my first IPSEC VPN setup.  Once all the SonicWALLs have been replaced with pfSense boxes, I want to switch back to OpenVPN.

      Is this normal for IPSEC?  Did I find a bug in 1.2.3-RC3?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        IPsec doesn't route like other protocols. The magic all happens in the kernel, you'll never see the "routes".

        You have two choices to get traffic to move along the tunnel from the pfSense box itself. The first is to add a static route on the LAN interface pointing the remote subnet to the LAN interface IP. That will "trick" traffic into entering the tunnel.

        If you're just worried about ping, you can try:
        ping -S <pfsense lan="" ip=""><remote ip="" address="">That will source the ping from the LAN IP, which will enter the tunnel as expected.

        Much of this is covered in the doc wiki
        http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP%2C_use_syslog%2C_NTP%2C_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F</remote></pfsense>

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • D
          darkpixel
          last edited by

          Thanks for the pointer–I totally missed that doc on my first trip through the FAQ.
          Not being a BSD guy, I couldn't remember the darn ping flag to send traffic through the LAN interface.

          SonicWALLs suffer from this exact same problem....I wonder what they use as their base OS... ;)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.