IPSec Transport Mode



  • Hi:

    I am trying to get GRE over IPsec using two pfsense VM's in a test environment.  I can get GRE working, but I cannot get IPsec itself working in transport mode.  With the GRE tunnels removed and IPsec disabled, I can ping the peer's WAN interface.  If I bring up IPsec, I can no longer ping the peer.  The firewall rules are allowing all traffic on the IPsec zone.  The network setup is pretty simple:

    Network 1:

    • LAN: 172.16.1.0/24
      WAN: 192.168.1.10

    Network 2

    • LAN: 172.16.2.0/24
      WAN: 192.168.1.20

    The SA is established as shown in Status -> IPsec, but again, I cannot ping the peer on the its WAN interface with the SA up.  I did a packet capture on Network 2 and I can see the echo request from Network 1, but I do not see echo replies going back, which seems odd.

    Has anyone successfully got this working?

    Thanks!



  • I've done some more testing with this and I'm a bit confused by what I am seeing.  When I ping 192.168.1.20 from the pfsense console on 192.168.1.10, the pings go through and I see the traffic has been encapsulated when I do a packet capture.  If I try to ping from a host behind the firewall, I see that the ICMP traffic has not been encapsulated.  A traffic capture on the peer shows the ping, however, the reply does not show as being transmitted.  The firewall log shows that the echo request came in on the WAN, not IPsec.

    I believe the issue here is that the pings are not being encapsulated and if I can get that worked, GRE will also come alive.  I tried dumping the pfsense built IPsec.conf for a simpler file, however, the traffic is still not flowing as expected.

    It seems like this is something that should just work, so I'm a bit baffled that it is not.  Does anyone else have transport mode working in this manner?