pfSense does not allow traffic to first hop over IPSec, but does to second hop hosts
-
Hi all. I am a pfSense novice and apologize up front for my lack of knowledge. I have a problem with my pfSense IPSec VPN that I have been debugging for the last week, but have been unable to resolve. I now have to resort to asking for help.
I have a setup that looks like this:
file:///home/morgan/Pictures/azure%20vwan.pngThe pfSense router sits at the "Home" location and has a S2S IPSec VPN configured using VTI to the S2S GW. I use OpenBGPD to exchange routes between the networks, which seems to be working fine as I can see routes being added from the cloud.
I have a VM deployed in both of the network called Spokes in this picture. I can ping (ICMP) any host in this setup. The problem is with any other protocol except ICMP. I cannot contact anything under 10.2.0.0/16 on any protocol except ICMP, but I can with anything on 10.130.0.0/16. This is a complete mystery to me.
I have no FW rules except the auto configured IPSec rules.
If I look at the Firewall logs I see this:
If I hover over the X I get this:
I cannot find any rule named "Default deny rule IPv4" nor understand why SSH to this host (and not e.g. 10.130.0.4) is being blocked.
If I add a second spoke to vWAN-Hub-NE I cannot reach anything there either, but if I add a spoke to vWAN-Hub-EUS2 I can.
Can anyone shed any light?
Thanks
Morgan