Access the IPSec server address from a remote IPSec server



  • I have an IPSec link running between 2 pfSense servers. The phase 2 connects 192.168.121.0/24 (far side) and 192.168.0.0/24 (near side). So I can access for instance 192.168.121.111 from 192.168.0.22.

    However: I cannot access 192.168.121.1 (the LAN address on the far server) from 192.168.0.1 (the LAN address on the near server). Is that by design or why would I get this condition?


  • Netgate

    How are you testing that? How is it failing?



  • I'm pinging the other end...

    from 192.168.0.1:
    ping 192.168.121.1
    PING 192.168.121.1 (192.168.121.1): 56 data bytes
    ^C
    --- 192.168.121.1 ping statistics ---
    6 packets transmitted, 0 packets received, 100.0% packet loss
    

    However: from 192.168.0.22 (which is a client on the LAN network)

    root@secure:~# ping 192.168.121.1
    PING 192.168.121.1 (192.168.121.1) 56(84) bytes of data.
    64 bytes from 192.168.121.1: icmp_seq=1 ttl=63 time=19.0 ms
    64 bytes from 192.168.121.1: icmp_seq=2 ttl=63 time=19.0 ms
    64 bytes from 192.168.121.1: icmp_seq=3 ttl=63 time=19.0 ms
    ^C
    --- 192.168.121.1 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2025ms
    

    Once I can ping an address I want to access other services on that remote LAN.


  • Netgate

    You have to source your pings from something interesting to IPsec.

    Try:

    ping -S 192.168.0.1 192.168.121.1

    and

    ping -S 192.168.121.1 192.168.0.1

    That way the traffic will match the IPsec traffic selector and go over the tunnel. So anything you run on the firewall will have to be told to bind to an address interesting to IPsec for it to work from the firewall itself.



  • Can't post any more, I get a red message in the bottom right corner saying Akismet thinks my post is spam! ???

    I'm logged in and all!!



  • @derelict said in Access the IPSec server address from a remote IPSec server:

    ping -S 192.168.0.1 192.168.121.1

    thanks! That works!

    So how do I tell other services to also use a different source address? I would for example like to do a DNS lookup from the near DNS service on the firewall to the remote one, to check that there are no override records that have been set (I use the DNS forwarder on the remote server to set LAN addresses for services located on the remote LAN).

    If I set 192.168.121.1 as the first DNS server on the near firewall, I get this when I lookup from the pfSense GUI.:

    Timings
    Name server     Query time
    127.0.0.1    0 msec
    192.168.121.1    No response
    9.9.9.9    48 msec
    8.8.8.8    1 msec
    

  • Netgate

    Well, in my opinion the easiest way to do that is to run DNS off the firewall so the queries are organically sourced from something interesting to the tunnel.

    In the Resolver (unbound) you can set one outgoing interface for queries it needs to resolve. That could be the LAN. All queries going to the outside will then have to go through NAT but that is generally not an issue.

    In the Forwarder (dnsmasq) you can set the source address on a per-domain-override basis.

    Again, if it important, I'd run a couple of bind instances on the inside.