Weird IPSec Road Warriror Issue. Client cannot ping itself or anything else

  • I have a wierd IPSec issue going on. I set up my IPSec VPN following this guide:

    Everything is the same except that Negotiation mode is set to Main. Aggressive did not work.

    My virtual address pool is
    My PFSense IP is
    My LAN address is
    Local Address in phase 2 is set to, but I've also tried setting this to with no luck.

    My client can successfully connect and is given the ip address from the PFSense server. When I try to ping that address from the client, it times out. I also cannot ping or connect to anything… not even google's public DNS servers. It's like it's trying to send all traffic through the VPN even though I have my LAN subnet set in the local address field of the phase 2 settings.

    My internal hosts can ping the IPSec client. For example, a machine at can ping, but cannot ping BUT my pfsense box cannot ping my VPN client. I get this: ping: sendto: Permission denied.

    If I start a packet capture on the IPSec interface, I can see the ICMP request and replies... even the ones that do not go through to If I ping from my vpn client, the client never sees the reply and times out, but the packet capture shows the request and reply. If I ping the client from the client, all I see it the request, no reply.

    I've checked my firewall rules and logs. My IPSec interface has an allow all rule. All logs look good. No denied entries. Strange thing is I don't see any esp traffice from the packet capture or in my firewall logs.

Log in to reply