Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site to Site IPsec VPN

    Scheduled Pinned Locked Moved IPsec
    5 Posts 3 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      soyer38301
      last edited by

      Good morning,

      I am a newbie to PFSense and need a little help with a site to site vpn. Both are PFSense 1.2.3.

      It looks like I have the tunnel established as it is showing up under the status-ipsec overview page.

      Subnet in site A (dmz) is 172.16.1.0/24 and site B (lan) is 172.16.2.0/24. Site B has only two physical interfaces WAN and LAN while site A has three - WAN, LAN and DMZ.

      From the diagnostics menu I can ping from site A to a host in site B using the dmz interface and from site B to a host in site A using the lan interface. When trying from the LAN interface at site A I get strange routing:

      PING 172.16.2.221 (172.16.2.221) from 10.5.1.1: 56 data bytes
      92 bytes from 198-178-12-5.denver.co.biz.comcast.net (198.178.12.5): Time to live exceeded
      Vr HL TOS  Len  ID Flg  off TTL Pro  cks      Src      Dst
      4  5  00 5400 78f3  0 0000  01  01 86c3 10.5.1.1  172.16.2.221

      (10.5.1.1 is the IP of the LAN interface on site A). I also get this same routing issue if I try to traceroute from a host on the LAN in site A. Also cannot ping from a host on the site A DMZ to any host in site B.

      In the IPSec setup I have selected the "network" option for the local subnet since there is no dmz option. Could this be where I have gone wrong?

      Any guidance would be appreciated.

      Thank you.
      Scott Oyer

      1 Reply Last reply Reply Quote 0
      • X
        XIII
        last edited by

        you cant access networks over a vpn from pfsense itself by default, it looks like thats what you are doing.

        try from another computer

        -Chris Stutzman
        Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
        Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
        freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
        Check out the pfSense Wiki

        1 Reply Last reply Reply Quote 0
        • S
          soyer38301
          last edited by

          Does not matter if from pfsense or workstation on my LAN here at site A - cannot connect to site B via IPSEC VPN.

          Scott

          1 Reply Last reply Reply Quote 0
          • X
            XIII
            last edited by

            post your config/firewall rules (black out the first 2 octets for every IP address for your security)

            -Chris Stutzman
            Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
            Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
            freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
            Check out the pfSense Wiki

            1 Reply Last reply Reply Quote 0
            • S
              spiritbreaker
              last edited by

              Hi,

              there is only a tunnel between Site A 172.16.1.0/24 and site B (lan) 172.16.2.0/24!

              ping failed because of missing tunnel. Ipsec is not routed.

              U need to add parallel tunnel on both sites for Network 10.5.1.0.

              Site A 10.5.1.0/24 (lan) <–-> site B (lan) 172.16.2.0/24

              If u want to route VPN traffic use OpenVPN.

              you cant access networks over a vpn from pfsense itself by default, it looks like thats what you are doing.

              Yes, thats caused by Freebsd ipsec implementation.

              u need to set source ip (interface) or u need to define a static route.

              Remember Lan ip must match tunneldefinition to work.

              ping -S <lan ip=""></lan>

              cya

              Pfsense running at 11 Locations
              -mobile OPENVPN and IPSEC
              -multiwan failover
              -filtering proxy(squidguard) in bridgemode with ntop monitoring

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.