Weird IPSec Road Warriror Issue. Client cannot ping itself or anything else



  • I have a wierd IPSec issue going on. I set up my IPSec VPN following this guide: https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

    Everything is the same except that Negotiation mode is set to Main. Aggressive did not work.

    My virtual address pool is 10.140.0.0/24
    My PFSense IP is 192.168.0.101
    My LAN address is 10.128.0.0/16
    Local Address in phase 2 is set to 10.128.0.0/16, but I've also tried setting this to 0.0.0.0/0 with no luck.

    My client can successfully connect and is given the ip address 10.140.0.1 from the PFSense server. When I try to ping that address from the client, it times out. I also cannot ping or connect to anything… not even google's public DNS servers. It's like it's trying to send all traffic through the VPN even though I have my LAN subnet set in the local address field of the phase 2 settings.

    My internal hosts can ping the IPSec client. For example, a machine at 10.128.0.50 can ping 10.140.0.1, but 10.140.0.1 cannot ping 10.128.0.50. BUT my pfsense box cannot ping my VPN client. I get this: ping: sendto: Permission denied.

    If I start a packet capture on the IPSec interface, I can see the ICMP request and replies... even the ones that do not go through to 10.128.0.50. If I ping 10.128.0.50 from my vpn client, the client never sees the reply and times out, but the packet capture shows the request and reply. If I ping the client from the client, all I see it the request, no reply.

    I've checked my firewall rules and logs. My IPSec interface has an allow all rule. All logs look good. No denied entries. Strange thing is I don't see any esp traffice from the packet capture or in my firewall logs.