Tunnel established but no traffic passes

  • I just configured a pfsense - to - pfsense IPSec tunnel. I am able to get the link to authenticate and establish a tunnel but I am not able to get any packets to traverse the network. I've only tried pings and ssh, but nothing is visible from either end to the other.

    I have check IPSec, System and Firewall logs and there is nothing logged that indicates any problems. Firewall logs show nothing regarding the IP's involved, IPSec logs no errors, and system logs shows no activity either.

    So I'm feeling like there must be something very basic that I am overlooking, not seeing or failed to configure. Can anyone shed some light on this problem?

    Both systems are 1.2-RELEASE.

    Here is some data on the topography as shown in IPSec SPD, I have sanitized public IP's
    Source                Destination          Direction          Protocol          Tunnel endpoints         –>                 ESP                 x.x.xx.131 - xx.xxx.xx.110 <--                  ESP                 xx.xxx.xx.110 - x.x.xx.131

    Here's the security Association under IPSec SA

    **Source                Destination          Protocol          SPI                  Enc. alg.            Auth. alg. **
    xx.xxx.xx.110       x.x.xx.131                 ESP                 040acbd8         aes-cbc           hmac-md5
    x.x.xx.131       xx.xxx.xx.110         ESP                 058402f0         aes-cbc           hmac-md5

    Thanks all

  • Did you go to firewall, rules, IPsec and create rules to allow your traffic?

  • Nope. And that was the kind of silly thing I was hoping I overlooked!

    Thanks so much.

  • I would like to be even more silly… :P

    I have the exact same problem.  If I click on Firewall -> Rules, and then click on the + to add a new rule, what do I need to do in order to allow IPSEC traffic through?


  • The IPsec traffic is passed 'behind the scenes', so you don't need to do anything on the WAN side.
    The tunnel itself is comparable to a physical interface, so you need to create rules to pass the traffic you need between sites. If it's a simple branch office you can go the insecure route and create an allow any protocol, any souce, any destination rule. You probably want to only allow access to specific machines/services though.

  • I added this firewall rule to pfSense:
    proto: *
    src: *
    port: *
    dest: *
    gateway: *

    And still can not get traffic to go through.  A tracert on the server behind pfSense can not get to the server behind the FortiGate 300A.  All I see is * * * Request timed out.  On the server behind the FGT, if I do a tracert to the server behind the pfSense, traffic still goes out our main interface, instead of the interrface that is directly connected to the pfSense box.  I tried adding a static route on the FGT but must be doing it wrong.

    Does anyone have IPSEC running between pfSense and a Fortigate?


  • I have this working one way now.  The server from behind the pfSense box can map drives, copy files, remote desktop to a server behind the Fortigate.  So if that server initiaites the connection everything works.  However, if the server from behind the FortiGate trys to initiate a connection it does not work.

    By looking at a tracert, it appears that once the packet gets to the Fortigate, it does not know where to go.  I just get "Request timed out".

    I think it is a Fortigate routing issue and I am going to keep fiddling with it.  ???