Access the IPSec server address from a remote IPSec server

  • I have an IPSec link running between 2 pfSense servers. The phase 2 connects (far side) and (near side). So I can access for instance from

    However: I cannot access (the LAN address on the far server) from (the LAN address on the near server). Is that by design or why would I get this condition?

  • LAYER 8 Netgate

    How are you testing that? How is it failing?

  • I'm pinging the other end...

    PING ( 56 data bytes
    --- ping statistics ---
    6 packets transmitted, 0 packets received, 100.0% packet loss

    However: from (which is a client on the LAN network)

    root@secure:~# ping
    PING ( 56(84) bytes of data.
    64 bytes from icmp_seq=1 ttl=63 time=19.0 ms
    64 bytes from icmp_seq=2 ttl=63 time=19.0 ms
    64 bytes from icmp_seq=3 ttl=63 time=19.0 ms
    --- ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2025ms

    Once I can ping an address I want to access other services on that remote LAN.

  • LAYER 8 Netgate

    You have to source your pings from something interesting to IPsec.


    ping -S


    ping -S

    That way the traffic will match the IPsec traffic selector and go over the tunnel. So anything you run on the firewall will have to be told to bind to an address interesting to IPsec for it to work from the firewall itself.

  • Can't post any more, I get a red message in the bottom right corner saying Akismet thinks my post is spam! ???

    I'm logged in and all!!

  • @derelict said in Access the IPSec server address from a remote IPSec server:

    ping -S

    thanks! That works!

    So how do I tell other services to also use a different source address? I would for example like to do a DNS lookup from the near DNS service on the firewall to the remote one, to check that there are no override records that have been set (I use the DNS forwarder on the remote server to set LAN addresses for services located on the remote LAN).

    If I set as the first DNS server on the near firewall, I get this when I lookup from the pfSense GUI.:

    Name server     Query time    0 msec    No response    48 msec    1 msec

  • LAYER 8 Netgate

    Well, in my opinion the easiest way to do that is to run DNS off the firewall so the queries are organically sourced from something interesting to the tunnel.

    In the Resolver (unbound) you can set one outgoing interface for queries it needs to resolve. That could be the LAN. All queries going to the outside will then have to go through NAT but that is generally not an issue.

    In the Forwarder (dnsmasq) you can set the source address on a per-domain-override basis.

    Again, if it important, I'd run a couple of bind instances on the inside.

Log in to reply