One Way Traffic on Site-to-Site IPSEC (Both pfSense Endpoints)
-
Hi.
I have 2 pfsense boxes (4 really but using CARP!! ;D) with a site to site IPSEC tunnel. Followed the tutorial here:
http://mirror.qubenet.net/mirror/pfsense/tutorials/mobile_ipsec/Twice no less….. but traffic will only flow from the VPN client to server but not vice vesa.
Can anybody lend a hand?
Thanks
Dave
-
What's the gateway on the server? If you are using a second gateway for its primary then you might need to add a static route pointing to the vpn for the other network.
Or
Try adding a route (I am going to assume this is windows)
route add network ip eg 10.10.10.0 mask netmask vpn gateway
See if that gets you the ping response.
-
Not that it's necessarily related, but if it's site-to-site then why are you using a mobile tunnel? Is one side on a dynamic IP?
Typically, if traffic only flows in one direction there are two culprits:
#1: As maelstrom said, make sure the gateways on both sites are set to their respective pfSense routers (probably the CARP address to be specific)#2: The IPSec firewall rules may not be set properly on one side. (Firewall > Rules, IPSec tab)
It might help to know that by "Traffic only flows one way" does that mean the client can actually get a reply from the server?
If you can ping from Client -> Server and get a reply from Server -> Client, but initiating the connection the other way (Server -> Client) does not work, then my #1 suspect would be firewall rules.If, however, you ping from Client -> Server, and you see the ping get there, but the reply doesn't make it back to the Client PC, then that would suggest a gateway issue.
-
Thanks for the suggestions. I'll give them both ago when the users leave for the night and post back.
Thanks again.
Dave
