Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec S2S up but no outbound Traffic

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 413 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      enthu19
      last edited by enthu19

      VPN Tunnel is successfully connected, Phase1, and Phase2 up. I can see SADs & SPDs (in Phase2 we have allowed only single IP Addresses from both sides, not the entire subnets)
      Inside Advance Settings , NAT Reflection mode for port forwards is set to Pure NAT & Enable automatic outbound NAT for Reflection is enabled.

      In the Firewall-->Rules-->IPSec TAB IPv4 Source:Port ANY Dest:Port LAN net:ANY

      Inside the NAT --> Outbound --> is set to : Automatic outbound NAT rule generation. (IPsec passthrough included)

      The remote side is trying to ping my end of local IP, He's not getting any response while inside the Status menu IPsec-->child SA shows increment in-bytes & packets-in while there is no increment in Out-bytes & Packets-out.

      inside the log --> firewall --> I can see the remote host ping request being passed on to my localhost machine. (But he's not getting any reply, only timeout)

      When I try to ping remote host, no replay, no Out-byte increments.

      What I have missed?

      Update:
      When in Advance -->Firewall & NAT--> I enable checkmark on Disable all packet filtering.* *, then I can ping remote host, but the remote host still cannot ping my localhost.

      Update 2:
      When I connect with my Pfsense IPSec from an external WAN connection using the same rules/parameters via ShrewSoft VPN Client for Windows, it works perfectly fine, we can ping each other & access other required services such as web.

      but it's not working with the IPSec of PALO ALTO Firewall

      Update 3:
      The issue is resolved. It was the configuration issue between Pfsense & Palo Alto IPSec Phase2 tunnel.

      Remote WAN IP : x.x.x.x
      Remote Local IP: 173.30.144.90 (this IP was given to me by Palo Alto operator)

      MY WAN IP: x.x.x.x
      My Local IP: 173.16.0.25

      I configured it as mentioned, both P1 & p2 come up.. when remote end tries to ping my end, he couldn't, when I captured IPSec Interface traffic, the ICMP Packets were coming from 173.130.144.90 instead of 173.30.144.90.
      I modified my Phase2 & added 173.130.144.90. The tunnel is UP, and the remote end can ping my local IP.
      I still cannot ping remote IP, But it's okay I only wanted one-way traffic.

      K 1 Reply Last reply Reply Quote 0
      • K
        Konstanti @enthu19
        last edited by Konstanti

        @enthu19
        Hello

        1. Show phase 2 settings and rules on Lan and IPSEC interfaces
        2. There is no need to configure NAT OUTBOUND for IPSec tunnel (/Firewall/NAT/Outbound)
        3. There is no need to configure NAT Reflection for IPSec tunnel.
        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.