Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [RESOLVED] IPSec tunnel OK but routers can't ping each others

    Scheduled Pinned Locked Moved IPsec
    5 Posts 3 Posters 14.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nicolasfo
      last edited by

      Hello there,
      I've established an IPSec tunnel between a PFSense appliance and a Stormshield appliance.

      Clients on both sides are able to ping each others on the other site and I'm able to access ressources on other site : OK.

      But routers themselves can't ping each others. Generally, routers themselves can't access to ressources on the other site. But "theirs" clients can…

      For example, if I try to ping a server on the site 1 using a client on the site 2, the ping will be OK.
      But if I try to ping the same server with the site 2 router, the ping will not pass...

      Is anyone to help me ?

      Thanks

      Nicolas

      1 Reply Last reply Reply Quote 0
      • J
        Jamerson
        last edited by

        Can you access the server and not ping it ?
        or you can't access it at all ?

        Can you share your firewall rules ?

        1 Reply Last reply Reply Quote 0
        • N
          nicolasfo
          last edited by

          Hello, sorry for the delay

          From PFSense I can't ping the Stormshield but from a client behind PFsense, I can ping Stormshield.
          Form Stormshield, I can't ping PFSense, but a client behind the Stormshield can ping the PFSense.

          Here's my PFSense firewall rules :

          WAN interface :

          Scrambled IP is the public IP of the remote site.

          LAN interface :

          IPSec interface :

          On the other side of the tunnel, I've allowed all traffic coming from an going to the PFSense local network.

          Obviously, all of these PassAll rules are for test purpose only.

          Another test I've made, using "Test port" fonctionnality under PFSense, PFSense is unable to "see" anything located on the remote site, as the remote firewall (at least https) or services hosted by others servers (https, ssh, imap…)

          When I contact a service from a client located behind PFSense, I have logs on the StormShield or PFSense, but when I contact a service with the PFsense itself, no logs appears in the Stormshield or the PFSense...

          Thanks for your help !

          Nicolas

          1 Reply Last reply Reply Quote 0
          • N
            nicolasfo
            last edited by

            You can know everything about everything thanks to Google. But if you don't know what to search, it is useless.

            The problem is resolved, by adding a bogus route, by hand.

            Here's the explanation :

            https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN

            Thanks for help

            P 1 Reply Last reply Reply Quote 2
            • P
              ProperCactus Rebel Alliance @nicolasfo
              last edited by

              @nicolasfo said in [RESOLVED] IPSec tunnel OK but routers can't ping each others:

              You can know everything about everything thanks to Google. But if you don't know what to search, it is useless.

              Lol yep exactly. And google eventually led me to your post which also resolved my issue.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.