Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Tunnel established but no traffic passes

    Scheduled Pinned Locked Moved IPsec
    7 Posts 3 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bmarshallbri
      last edited by

      I just configured a pfsense - to - pfsense IPSec tunnel. I am able to get the link to authenticate and establish a tunnel but I am not able to get any packets to traverse the network. I've only tried pings and ssh, but nothing is visible from either end to the other.

      I have check IPSec, System and Firewall logs and there is nothing logged that indicates any problems. Firewall logs show nothing regarding the IP's involved, IPSec logs no errors, and system logs shows no activity either.

      So I'm feeling like there must be something very basic that I am overlooking, not seeing or failed to configure. Can anyone shed some light on this problem?

      Both systems are 1.2-RELEASE.

      Here is some data on the topography as shown in IPSec SPD, I have sanitized public IP's
      Source                Destination          Direction          Protocol          Tunnel endpoints
      10.2.200.0/24       192.168.1.0/24         –>                 ESP                 x.x.xx.131 - xx.xxx.xx.110
      192.168.1.0/24       10.2.200.0/24 <--                  ESP                 xx.xxx.xx.110 - x.x.xx.131

      Here's the security Association under IPSec SA

      **Source                Destination          Protocol          SPI                  Enc. alg.            Auth. alg. **
      xx.xxx.xx.110       x.x.xx.131                 ESP                 040acbd8         aes-cbc           hmac-md5
      x.x.xx.131       xx.xxx.xx.110         ESP                 058402f0         aes-cbc           hmac-md5

      Thanks all

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by

        Did you go to firewall, rules, IPsec and create rules to allow your traffic?

        1 Reply Last reply Reply Quote 0
        • B
          bmarshallbri
          last edited by

          Nope. And that was the kind of silly thing I was hoping I overlooked!

          Thanks so much.

          1 Reply Last reply Reply Quote 0
          • J
            jftuga
            last edited by

            I would like to be even more silly… :P

            I have the exact same problem.  If I click on Firewall -> Rules, and then click on the + to add a new rule, what do I need to do in order to allow IPSEC traffic through?

            Thanks,
            -John

            1 Reply Last reply Reply Quote 0
            • dotdashD
              dotdash
              last edited by

              The IPsec traffic is passed 'behind the scenes', so you don't need to do anything on the WAN side.
              The tunnel itself is comparable to a physical interface, so you need to create rules to pass the traffic you need between sites. If it's a simple branch office you can go the insecure route and create an allow any protocol, any souce, any destination rule. You probably want to only allow access to specific machines/services though.

              1 Reply Last reply Reply Quote 0
              • J
                jftuga
                last edited by

                I added this firewall rule to pfSense:
                proto: *
                src: *
                port: *
                dest: *
                gateway: *

                And still can not get traffic to go through.  A tracert on the server behind pfSense can not get to the server behind the FortiGate 300A.  All I see is * * * Request timed out.  On the server behind the FGT, if I do a tracert to the server behind the pfSense, traffic still goes out our main interface, instead of the interrface that is directly connected to the pfSense box.  I tried adding a static route on the FGT but must be doing it wrong.

                Does anyone have IPSEC running between pfSense and a Fortigate?

                Thanks,
                -John

                1 Reply Last reply Reply Quote 0
                • J
                  jftuga
                  last edited by

                  I have this working one way now.  The server from behind the pfSense box can map drives, copy files, remote desktop to a server behind the Fortigate.  So if that server initiaites the connection everything works.  However, if the server from behind the FortiGate trys to initiate a connection it does not work.

                  By looking at a tracert, it appears that once the packet gets to the Fortigate, it does not know where to go.  I just get "Request timed out".

                  I think it is a Fortigate routing issue and I am going to keep fiddling with it.  ???

                  -John

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.