Unable to access hosts

csnf

I have successfully created an IPSEC tunnel between main site and remote site. The tunnel is active and all seems correct.
Main Site
10.1.1.x/24

Remote Site
192.168.0.x/24

I cannot reach some hosts from Remote site to Main site. I have PASS rules on both ends to allow any on the IPSEC Firewall Rules. I am able to ping the gateway both ways. Here is a log from Main Site showing an attempt to RDP to FROM Remote Site to Main Site server.
Feb 3 10:49:18 ENC0 192.168.0.51:1458 10.1.1.11:3389 TCP
Feb 3 10:48:41 ENC0 192.168.0.51:1457 10.1.1.2:3389 TCP
Feb 3 10:41:03 ENC0 192.168.0.51:1456 10.1.1.2:3389 TCP
At remote site, i never get RPD to connect. Any ideas here?

–-I've added screenshots of my rules and remote NAT options. Main site to remote site I can access all attempted IP's. Any help is appreciated.

fwrules_office.JPG_thumb

fwrules_remote.JPG_thumb

ipsec_office.JPG_thumb

ipsec_remote.JPG_thumb

NAT_remote.JPG_thumb

kapara

Noticed your remote and IPSEC do not match. Also you should not have to create rules as the IPSEC rule is what allows traffic to pass between both devices.

csnf

Thank you for responding! I've adjusted the rules so they are exactly the same. Also, I have not created any additional rules outside of the IPSEC tab for allowing traffice.

In testing from the 'main' side, I am able to ping any IP at the 'remote' side. When on the 'remote' side, I can ping some select IP addresses. One is 10.1.1.8 and the other is 10.1.1.20. All others are unreachable. From the PF machine on the 'remote' side, I can use ping and reach all IP's, so I'd assume that the issue is on the 'remote' side firewall.

csnf

It appears the issue is with the the default gateway of the machines at the 'main' site. The pfSense machine at the main site is IP 10.1.1.8 and the machines which are not accessable have a gateway of 10.1.1.254, which is the second gateway that is still in use since I'm testing with the pfSense machine.

kapara

Also make sure your LAN IP's subnet can encompass all potential subnets which might need to be accessed. I had to switch my LAN to a /16 from a /32 in order to be able to route traffic to other subnets.

Ex.

Lan gateway 172.20.30.1/16

L3 switch acting as primary gateway for PC's 172.20.30.1

Vlan 20 172.20.20.1
Vlan 40 172.20.40.1

I also had to make sure that I used the 172.20.0.0/16 in the IPSEC tunnel so that it knew where to send all the traffic.

focalguy

@csnf:

It appears the issue is with the the default gateway of the machines at the 'main' site. The pfSense machine at the main site is IP 10.1.1.8 and the machines which are not accessable have a gateway of 10.1.1.254, which is the second gateway that is still in use since I'm testing with the pfSense machine.

Can you put a static route in the existing gateway 10.1.1.254 pointing to your pfsense box for your other subnet?