Access remote network through IPSec/GRE



  • I'm going to put this here because I think the issue is with the firewall / routing and not with IPSec per se.  I am trying to set up GRE over IPSec, and routing doesn't seem to be doing what I expect.

    Two new instances of pfSense 2.3.2.  I created the IPSec phase 1 and transport phase 2, and created GRE between the two.  One side uses 10.0.20.2/24 for the GRE endpoint and the other side uses 10.0.20.1/24.  I can ping from 10.0.20.2 to 10.0.20.1 and vice versa, so I know the tunnel is working.

    I created the GRE interface on both sides, and the new gateway is created to the far end of the 10.0.20.0/24 network on both sides.  I also created a static route to the far side LAN network through the remote gateway on both sides.  (One LAN is 192.168.20.1/24 and the other side is 192.168.30.1/24)

    I have created allow all rules on both LANs, both GRE interfaces, and both IPSec interfaces.  Outbound NAT rules were automatically generated on both the GRE and WAN interface for 192.168.20.0/24 and 192.168.30.0/24.  However, I cannot ping from one LAN to the other.  I cannot ping from either LAN to the far side gateway either (I can ping to the local end point of the tunnel.)  All of the pings are from the command shell, although I have tried from a client computer and it doesn't work there either.

    I am trying to diagnose the problem and if I start a ping, I don't see a state for it anywhere and I don't see any line for it in pfTop.  (If I do one of the pings that work I can find those.)

    I'm racking my brain trying to figure out what I'm missing.  Any ideas?

    Thanks,
    -Matt



  • I was able to find out a little more.  I started a ping on one side from 192.168.20.1 to 192.168.30.1 and did a packet capture.

    On the local GRE interface I see:

    16:01:04.242255 IP 10.0.20.1 > 192.168.30.1: ICMP echo request, id 4849, seq 286, length 64

    On the far side GRE interface I see:

    16:01:58.443909 IP 10.0.20.1 > 192.168.30.1: ICMP echo request, id 4849, seq 340, length 64

    However, if I do packet capture on the far side LAN I see nothing.  I also see no replies.  So it seems it is making it through the tunnel but not being routed properly to the LAN address.



  • Another update: Ping between the two LAN subnets works if I disable both firewalls (pfctl -d) so I know the problem is in the firewall.

    Just to clarify the two pfSense instances are running in virtual machines (on Vultr VPS).  I am trying to get this set up in a lab environment before I implement it on my own network.  Each instance was installed fresh, and all options left at default except what I have changed to enable IPSec and GRE, and the changes I have been trying to make on the firewall.  No other packages have been installed.  There are no clients attached to either at the moment, they are only talking to each other.

    Currently on both boxes I have allow all rules (all protocols, ports, sources and destination) for LAN, GRE, and IPSec interfaces.  I have attempted to add an additional rule on the LAN and GRE specifically allowing any traffic with a source address of the remote network but it doesn't seem to make any difference.

    Can anyone help?  I know it is probably something simple but I'm just not seeing it.