IPsec VPN established, but no traffic between computers

  • Hi there,

    I am pretty new to VPN, but I have managed to setup pfSense onto two Watchguard Firebox X series. One is at my office and the other is at the datacenter. I managed to setup a VPN connection between the two pfSense devices and everything looks good, as I am getting the green "UP" arrow. I also have added a rule to each pfSense under Firewall > Rules > IPsec, allowing all traffic (any port/any source/any destination). So I have spent two days trying to figure out what is wrong.

    I read several articles in these forums, and I read in a thread someone who was asking the guy who had a similar problem with mine if he was trying pinging from a computer or from the pfSense itself. That triggered my mind and I tried pinging from within pfSense. So I opened a console with PuTTY and I could ping from both sides not only the other pfSense's IP, but also IPs of servers that were on the other network (the remote one).

    So I am thinking now that maybe this is about route issues. Why can I ping from the pfSense IPs on the other network, but not from a computer?

    Any idea how this could be solved?

    I also may need to explain the configuration a little.

    At the datacenter there is a MikroTik Cloud Core Router and there is a peering network with 2 public IPs. One IP (xxx.xxx.xxx.81) is configured on a specific port of MikroTik and the other IP (xxx.xxx.xxx.82) is configured on the WatchGuard's (pfSense) WAN interface. Of course the specific port of MikroTik is connected directly to the WAN interface of pfSense and there is a forwarding rule on MikroTik (under Firewall of course) which forwards the traffic from the source IP address (the public IP of my Office) to the pfSense WAN's IP.

    At the office, there is a Fritz!BOX which has forwarding rules under Firewall (port forwarding), which forward the ESP, the GRE, the UDP 500 and the UDP 4500 ports to the local static IP assigned to office's WatchGuard (pfSense) WAN interface.

    I hope the above information will be enough for the experts to understand my setup and give me some help in order to solve this issue.

    Thanks a lot in advance for your time and your support!

  • @apitsos Try this. Disable the public firewall section on the PC's/Server then you will be able to ping clients on both networks. Its seeing the traffic as public traffic across the VPN.

  • @kent Thanks for your answer. Unfortunately that didn't work. I disabled the firewall for the public section on my computer, but I still couldn't ping a remote IP. Not even the IP of the remote pfSense.

  • In case it helps, I tried to traceroute an IP. I am getting this result:

    Tracing route to over a maximum of 30 hops
      1    <1 ms    <1 ms    <1 ms
      2     *        *        *     Request timed out.
      3     *        *        *     Request timed out.
      4     *        *        *     Request timed out.
      5     *        *        *     Request timed out.
      6     *        *        *     Request timed out.
      7     *        *        *     Request timed out.
      8     *        *        *     Request timed out.
      9     *        *        *     Request timed out.
     10     *        *        *     Request timed out.
     11     *        *        *     Request timed out.
     12     *        *        *     Request timed out.
     13     *        *        *     Request timed out.
     14     *        *        *     Request timed out.
     15     *        *        *     Request timed out.
     16     *        *        *     Request timed out.
     17     *        *        *     Request timed out.
     18     *        *        *     Request timed out.
     19     *        *        *     Request timed out.
     20     *        *        *     Request timed out.
     21     *        *        *     Request timed out.
     22     *        *        *     Request timed out.
     23     *        *        *     Request timed out.
     24     *        *        *     Request timed out.
     25     *        *        *     Request timed out.
     26     *        *        *     Request timed out.
     27     *        *        *     Request timed out.
     28     *        *        *     Request timed out.
     29     *        *        *     Request timed out.
     30     *        *        *     Request timed out.
    Trace complete.

    That makes me understand that it is a routing issue. Right?

    But I don't know how to fix the routing. I am getting IP from a Windows Server (DHCP). Is there something I should add in the scope? Maybe the pfSense as router or something? Because the Gateway is NOT the pfSense. It's a Zyxel which I have also behind the Fritz!BOX.

  • @apitsos Can you RDP into the other machine? Can you ping the LAN interface IP's from both sides?
    I had a similar issue where i could RDP into the remote machine but not ping it.
    I would just turn off all the firewalls to start with and see what happens.
    I'm also new to this and unfortunately can't help much more.
    Watch this guys video it may help you. [https://www.youtube.com/watch?v=AlZhuuMh4oY&t=287s](link url)

  • @KenT Unfortunately RDP also doesn't work.

    I believe it's a routing issue and not firewalling.

    The video is good. I have watched that already. Doesn't help, as I have established the VPN. I will see it again, anyway. Maybe I am missing something here.

  • Hi, your machines uses s.o windows ? in that case turn off the firewall each and check pin to the other machine