[RESOLVED] IPSec tunnel OK but routers can't ping each others



  • Hello there,
    I've established an IPSec tunnel between a PFSense appliance and a Stormshield appliance.

    Clients on both sides are able to ping each others on the other site and I'm able to access ressources on other site : OK.

    But routers themselves can't ping each others. Generally, routers themselves can't access to ressources on the other site. But "theirs" clients can…

    For example, if I try to ping a server on the site 1 using a client on the site 2, the ping will be OK.
    But if I try to ping the same server with the site 2 router, the ping will not pass...

    Is anyone to help me ?

    Thanks

    Nicolas



  • Can you access the server and not ping it ?
    or you can't access it at all ?

    Can you share your firewall rules ?



  • Hello, sorry for the delay

    From PFSense I can't ping the Stormshield but from a client behind PFsense, I can ping Stormshield.
    Form Stormshield, I can't ping PFSense, but a client behind the Stormshield can ping the PFSense.

    Here's my PFSense firewall rules :

    WAN interface :

    Scrambled IP is the public IP of the remote site.

    LAN interface :

    IPSec interface :

    On the other side of the tunnel, I've allowed all traffic coming from an going to the PFSense local network.

    Obviously, all of these PassAll rules are for test purpose only.

    Another test I've made, using "Test port" fonctionnality under PFSense, PFSense is unable to "see" anything located on the remote site, as the remote firewall (at least https) or services hosted by others servers (https, ssh, imap…)

    When I contact a service from a client located behind PFSense, I have logs on the StormShield or PFSense, but when I contact a service with the PFsense itself, no logs appears in the Stormshield or the PFSense...

    Thanks for your help !

    Nicolas



  • You can know everything about everything thanks to Google. But if you don't know what to search, it is useless.

    The problem is resolved, by adding a bogus route, by hand.

    Here's the explanation :

    https://doc.pfsense.org/index.php/Why_can't_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN

    Thanks for help


Log in to reply