IPsec ping host for keepalive doesn't work

dlogan

In Diagnostics -> Ping, iff the source is set to LAN, the pings work. But if I set the source to Localhost, the pings fail.

In my IPSec setup, I have a ping host set to an IP on the other side of the VPN to keep the tunnel alive.  It does not keep the tunnel alive, I'm assuming (and I could very well be wrong) this is because Localhost is unable to ping the address.  When a host inside the LAN tries to ping the address, the first ping fails while the VPN is being established, then all is well.  This is slightly inconvenient, however.

What interface would the IPSec ping host use to try to ping?

There is no tab for Localhost in firewall rules, so I'm not sure how to address this.

I have a rule for IPSec that says allow All ipv4 from anywhere to anywhere.

doktornotor

@dlogan:

In Diagnostics -> Ping, iff the source is set to LAN, the pings work. But if I set the source to Localhost, the pings fail.

https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN

For the rest:

https://doc.pfsense.org/index.php/What_should_I_ping_for_IPsec_Keep_Alive

dlogan

Thanks, but that doesn't seem to help.  If I select LAN as the source of the ping, it works.

If I select Localhost as the source of the ping, it does not work.

This may or may not be the reason why the Automatically ping host under IPSec setup doesn't work, I was just making a guess there.

I added the LAN Gateway and Static Route as suggested by that article but it has no effect.

doktornotor

I did not suggest adding GW anywhere. I was explaining out why pinging from "localhost" does not work.

As noted by the second article, the pfSense box must have an IP inside Local Network specified in the P2. Otherwise it won't work.

dlogan

I'm not sure I'm following you.  Inside the Phase 2 entry, for Local Network, I have LAN Subnet selected, as to allow any device on the LAN to initiate the VPN tunnel.  The LAN interface of the pfSense box has an address inside that LAN Subnet.
i.e. the LAN subnet is 192.168.0.0/24 and the LAN interface of the pfSense box has address 192.168.0.1/24

cmb

The traffic must match the P2 to go across the VPN. When you source from localhost, the source IP is 127.0.0.1, which isn't going to be part of your IPsec connection. That's not what the IPsec keepalive does.

Go to a command prompt, and run 'ps auwx | grep ping_host' to see if it's actually running. Should see something like:

: ps auwx | grep ping_hosts
root    96764   0.0  0.0  12404   1996  -  Is   Tue02AM     0:00.00 /usr/local/bin/minicron 240 /var/run/ping_hosts.pid /usr/local/bin/ping_hosts.sh
root    97078   0.0  0.0  12404   2008  -  I    Tue02AM     0:00.10 minicron: helper /usr/local/bin/ping_hosts.sh  (minicron)
root    64343   0.0  0.0  18876   2384  1  S+    9:28PM     0:00.01 grep ping_hosts

cmb

In addition to answers to the previous post, also try running```
ping_hosts.sh