Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot reach hosts across pfSense site to site ipsec tunnel

    IPsec
    5
    6
    4.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      or385rls
      last edited by

      I am sure that this is something glaringly wrong with my setup as this should be the bread and butter for ipsec site to site tunnel.

      I have two pfsense firewalls both directly connected to the internet with 1 unique NATed LAN subnet behind each.  I have an IPSec tunnel between site 1 and site 2 and can successfully ping the opposite end of the tunnel from any device at either site.  Both PFSense boxes are running 2.1RC2

      I cannot however ping other devices on the other subnet other than the pfsense device.  There are no errors in the logs, and the IPSEC status tabs show that things are up and happy, and in fact it shows data in the counters on the SAD tab.

      Site 1 Phase 2 shows
      Mode Local Subnet Remote Subnet P2 Protocol P2 Transforms P2 Auth Methods
      tunnel LAN 192.168.2.0/24 ESP AES (auto) SHA1

      Site 2 phase 2 shows
      Mode Local Subnet Remote Subnet P2 Protocol P2 Transforms P2 Auth Methods
      tunnel LAN 192.168.0.0/24 ESP AES (auto) SHA1

      On both ends there is a route that points the remote subnet to the LAN IP which is the end of the ipsec tunnel.

      Traceroute from one end to the other for pfsense shows:
      Tracing route to 192.168.2.1 over a maximum of 30 hops

      1    1 ms    1 ms    1 ms  192.168.0.1
        2    39 ms    39 ms    39 ms  192.168.2.1

      Trace complete.

      to a host however it shows…
      Tracing route to 192.168.2.251 over a maximum of 30 hops

      1    1 ms    1 ms    1 ms  192.168.0.1
        2    *        *        *    Request timed out.
        3    *        *        *    Request timed out.
        4    *        *        *    Request timed out.
        5    *        *        *    Request timed out.

      Any thoughts on what to check to get this working properly

      1 Reply Last reply Reply Quote 0
      • R
        rtr
        last edited by

        Did you allow the ICMP traffic on the VPN tunnel? I think I remember having to do that, in addition to allowing it on the "real" interfaces (inside/outside).

        1 Reply Last reply Reply Quote 0
        • K
          kejianshi
          last edited by

          ICMP could also be blocked by the host firewall.

          1 Reply Last reply Reply Quote 0
          • D
            dcrnac
            last edited by

            +1 here,

            version 2.1 Tunnel UP

            pFSense1 LAN 192.168.0.5/24
            PFSense2 LAN 192.168.1.1/24

            Site 1 LAN subnet 192.168.0.0/24

            Site 2 LAN subnet 192.168.1.0/24

            Can ping pFSense LAN IP's on both sides but can't ping HOSTS,
            didn't add any static routes though.

            Firewall -> Rules -> IPSec -> ANY

            1 Reply Last reply Reply Quote 0
            • G
              georgeman
              last edited by

              IPsec on FreeBSD is directly attached to the kernel, you don't need or have to add static routes.

              Remember that once the tunnel is up, it behaves like any other interface, so you need to add rules to allow incoming traffic on each end.

              If it ain't broke, you haven't tampered enough with it

              1 Reply Last reply Reply Quote 0
              • K
                kejianshi
                last edited by

                And, if possible, openvpn would be a step up…  Unless there is something that prevents it.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.