IPSec Site-to-Site - Green - but no traffic

prandall · Oct 2, 2012, 2:48 PM

I'm quite a noob with IPSec. I am trying to set up a site to site VPN. But I think I am missing something.

The tunnel connects showing the green arrow but no traffic is going over the tunnel.

I am using version 2.01

This is my network topography

Site A:
Client PC 192.168.11.199
pfSense LAN 192.168.11.1
pfSense WAN 107.XX.XX.195 ( Static IP ) DG is 107.XX.XX.193
Cablevision Router 107.XX.XX.193

Site B:
Comcast Modem/Router WAN 69.XX.XX.109
Comcast Modem/Router LAN 10.1.10.1
pfSense WAN 10.1.10.16 DG is 10.1.10.1
pfSense LAN 192.168.12.1
Client PC 192.168.12.199 ( No actual client connected yet)

I don't know what to post from IPSec, but the tunnel connects, but the SAD tab shows no data.

Phase 1 and Phase 2 seem to connect.

I added Firewall rules under IPSEC Tab as follows:

Proto: TCP
Source *
Port *
Destination: LAN Net
Port *
Gateway *
Queue none
Schedule
Description

So, I dont know if there is something else I need to do. I try to ping from pfsense site B to client on site A and get nothing.

Do I need to setup a Gateway and route?

Completely frustrated, been working on this for a week.

Thanks in advance for help.

podilarius · Oct 2, 2012, 3:26 PM

Sounds like the tunnel is connecting, but you forgot to add the allow rules in the firewall. There is an IPSEC or OpenVPN tab in the firewall rules where you need to add an allow rule. Needs to be rather open if for road warriors and can be closed to just remote subnets if it is a site to site.

prandall · Oct 3, 2012, 11:19 AM

If you are referring to the firewall rules under IPSec tab, I think that is what I listed at the bottom of the post.

podilarius · Oct 3, 2012, 12:25 PM

Yes, your rule states TCP yet you are trying with a ping which is ICMP protocol. So the firewall is blocking it.
To test, change the protocol from TCP to any and retest with ping, or add a rule for ICMP:any.

prandall · Oct 3, 2012, 1:07 PM

Ok, thanks for your help so far, still not able to ping, but I'm sure that rule was part of the problem.
I set the protocol on both ends to any.

There is a Firewall rule in the LAN tab, that I don't remember adding, could this be slurping traffic?

Proto *
Source LAN Net
Port *
Destination *
Port *
Gateway *

I did pfTop via SSH on one host. This looks like the tunnel trying to work.

From A
PR D SRC DEST GW STATE AGE
tcp O 192.168.11.199:4472 64.xx.xx.161:80 108.xx.xx.195:33403 4:4 43h

Anyway, any other suggestions?

prandall · Oct 3, 2012, 2:11 PM

IT WORKS!, Thanks for your help Podilarius. After re-saving the Phase II entries something clicked, so I can now ping remote hosts. Which I of course would not have been able to without that rule change :)