Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC Tunnel works only when IP is static

    Scheduled Pinned Locked Moved IPsec
    6 Posts 3 Posters 557 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      erosalesMBGE
      last edited by

      Hi all,

      There is a PFSense Firewall configured in my company (old version 2.2.5-RELEASE) in AWS. The LAN of the FW is a /24 network. However in the tunnel we modify it to local subnet to be /23. When the tunnel come up and try traffic test it only works when the destination host have the IP Static, not work even when the IP is in the subnet range but not static.

      Can anybody help on this, please?

      1 Reply Last reply Reply Quote 0
      • bepoB
        bepo
        last edited by

        Please specify whats "not static". Do you mean in case of dhcp? Is the gateway from dhcp server correct?

        Please use the thumbs up button if you received a helpful advice. Thank you!

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          1. Upgrade to a current supported release, 2.2.5 has been outdated for nearly three years.

          2. IPsec has no way to know what is static vs dynamic. It only knows what does or does not match its Phase 2 definitions.

          You'll need to provide more information about the design of the network and what you're trying to do in order to make any kind of accurate guess about what is happening.

          For example, If LAN is a /24, and IPsec is set to /23, where is the other segment of that network? Can you give any examples about the addresses and how they are configured?

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • E
            erosalesMBGE
            last edited by

            Hi,

            The netowrk in our AWS is a /16, but the subnets are divided into /24. In the Phase 2 I modified the local network to be /23 to reach 2 subnets in AWS. I have one server in each subnet let's say .40.0/24 and .41.0/24.
            AWS asign the IP to servers via DHCP but if set the IP to static in the operating system the tunnel can reach it only the 40.0/24, if not set to static does not reach it. The subnet 41.0/24 does not reach it at any time, static or DHCP.

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              That sounds more like it might be an issue with your AWS networking and nothing to do with pfSense. Are you certain dynamically assigned hosts, or hosts in that other /24 segment, are sending traffic to pfSense?

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • E
                erosalesMBGE
                last edited by

                The tunnel only work when the IP in the server is set manually but only in the 40.0/24 segment, dynamically don't work. The segment 41.0/24 does not send traffic to pfsense at all, even when the /23 is set up in Phase 2. Due to Policies and Prod enviroments working in another tunnels i can update the version.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.