Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec VTI pfSense 2.4.4 to pfsense 2.4.4

    Scheduled Pinned Locked Moved IPsec
    7 Posts 4 Posters 792 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bobkoure
      last edited by

      I have tunnels up, but no data is being passed
      I used
      local network: [network] 172.16.85.1/30
      remote network [address] 172.16.85.2

      I used the same on both sides. Is that correct, or should I make one address .1 and the other .2

      Both have interfaces (interfaces/assignments/add)
      Both have static routes, each using the assigned interface gateway.

      As I mentioned, Status/IPsec on both pfSense boxes indicates that the tunnels are 'established'. but when I try to ping from one side to the other, I get no reponse.

      I have an IPsec firewall rule that passes all IPV4 protocols.
      The doc mentions that firewall rule processing can be confusing.
      Do I need to create another IPsec firewall rule?

      Is there a step-by-step how-to on setting up VTI IPsec connections between a pair of pfSense boxes?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • RicoR
        Rico LAYER 8 Rebel Alliance
        last edited by

        https://www.youtube.com/watch?v=AKMZ9rNQx7Y

        -Rico

        1 Reply Last reply Reply Quote 0
        • M
          maykel535
          last edited by

          I have a similar problem. The tunnel VTI established ok and it works. From interface vti ipsec, I can ping to remote host. But the problem is from my interface LAN, I cannot ping from interface LAN to the remote host via ipsec VTI.

          I add rules to permit traffic from LAN to remote host ipsec vti with gateway vti, nat Outbound from LAN to remote host ipsec vti interface and cannot ping, telnet from my LAN. What is missing? I followed the documentation step by step and not working...

          M 1 Reply Last reply Reply Quote 0
          • M
            maykel535 @maykel535
            last edited by

            Attach screenshots.

            2019-07-10-170416_674x498_scrot.png 2019-07-10-170351_698x554_scrot.png 2019-07-10-170722_1155x189_scrot.png 2019-07-10-170657_1150x681_scrot.png 2019-07-10-170627_1153x266_scrot.png 2019-07-10-170611_1178x506_scrot.png 2019-07-10-170547_1193x839_scrot.png

            Can I help me please? I don't understanding ...

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Does the other side have a route back to 10.1.100.100?

              You show an outbound NAT entry for 192.168.0.0/16 but that will not cover 10.1.100.100.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • M
                maykel535
                last edited by

                Hi, thanks for your response.

                Where do I have to put the route back to 10.1.100.100 on the fw2?

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Just like you did for the route to 10.94.37.95/32 except on the other side of the tunnel and for 10.1.100.100.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.