Ipsec between 2 sites
I am noy understanding how this happens but I though that when u created a IPSEC VPN connection between 2 PFSENSE beta 3 boxes all traffic is routed.
Box A 192.168.2.0/24 PFSENSE is 19188.8.131.52
Box B 192.168.3.0/24 PFSENSE is 19184.108.40.206
From pfsense interface I can Ping Lan 192.168.3.1 and the ping comes back succesfull but if I try to ping from any other machine in my Box A network to that same aadress i cant get through and I in the firewall logs I see the default rule bloking the ping.
Are the rules controlling the ports between ISEC connections ?
Rules are applied on incoming connections. IPSEC however is not filterable, so the only way you can get a block for this traffic is by a rule at the LAN side where the traffic is entering the pf'Sense to be send out via IPSEC. Check your rules. Did you allow the ICMP protocol?
Uhmm. I read your statement 3 times & I am not quite sure I understand it.
"Rules are applied on incoming connections."
Can we expand on this one ? I have a rule in Box A in the Lan section that says only ICMP within the LAN Subnet. I have a IPSEC tunnel between Box A & Box B. I Ping from Box A to Box B. Ping refused because of the Lan rules. In Box B I have default Lan rules so if I ping to A it works.
So in the Lan I should give the OK for ICMP to both subnets, not only the LAN one, I guess by creating an Alias of subnets.
So basically IPSEC follows the rules of the LAN rules x site instead of having its own rule set.
LAN A–-----------------LAN/pfSenseA/IPSEC-----------------------IPSEC/pfSenseB/LAN---------------LAN B
Don't get confused that it looks like a seperate Interface up there. IPSEC is completely transparent between the two pfSenses once established, it doesn't cross the WAN interfaces even (seen from the packetfilters view).
As I said you only can control incoming connections on an interface. So the rules at the LAN interface of pfSenseA determines what can move over the IPSEC to pfSenseB. pfSenseB can't block connections incoming over IPSEC as it's not an interface seen by the packet filter. The same applies for the other direction. Rules at LAN interface of pfSenseB can pass/block traffic going through the IPSEC to pfSenseA only.
I hope this makes it a bit more clear.