Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Weird IPSec Road Warriror Issue. Client cannot ping itself or anything else

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 537 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      abel408
      last edited by

      I have a wierd IPSec issue going on. I set up my IPSec VPN following this guide: https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

      Everything is the same except that Negotiation mode is set to Main. Aggressive did not work.

      My virtual address pool is 10.140.0.0/24
      My PFSense IP is 192.168.0.101
      My LAN address is 10.128.0.0/16
      Local Address in phase 2 is set to 10.128.0.0/16, but I've also tried setting this to 0.0.0.0/0 with no luck.

      My client can successfully connect and is given the ip address 10.140.0.1 from the PFSense server. When I try to ping that address from the client, it times out. I also cannot ping or connect to anything… not even google's public DNS servers. It's like it's trying to send all traffic through the VPN even though I have my LAN subnet set in the local address field of the phase 2 settings.

      My internal hosts can ping the IPSec client. For example, a machine at 10.128.0.50 can ping 10.140.0.1, but 10.140.0.1 cannot ping 10.128.0.50. BUT my pfsense box cannot ping my VPN client. I get this: ping: sendto: Permission denied.

      If I start a packet capture on the IPSec interface, I can see the ICMP request and replies... even the ones that do not go through to 10.128.0.50. If I ping 10.128.0.50 from my vpn client, the client never sees the reply and times out, but the packet capture shows the request and reply. If I ping the client from the client, all I see it the request, no reply.

      I've checked my firewall rules and logs. My IPSec interface has an allow all rule. All logs look good. No denied entries. Strange thing is I don't see any esp traffice from the packet capture or in my firewall logs.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.