Clients in OPT1 network not reachable through tunnel



  • Hi

    I have two pfsense which are connected through a IPSec VPN.

    (192.168.30.0/24-LAN----Site-A)---------------(IPSec VPN)---------------(Site-B----OPT1-10.10.10.0/24)

    On site-A everything works fine. This means if send a ping from site-B to site-A i can reach every client which is in the LAN of site-A through the IPSec tunnel.

    But the clients which are on site-B in the OPT1 network can not be reached through ping from any LAN client on site-A. However, the OPT1 interface IP can be reached through ping from LAN site-A.

    could it be a routing problem so SiteB does not know on which interface to send out packets for the network OPT1?
    Firewall is open (any-any-any) on all involved interfaces.

    Strangely, when i configured the VPN with OpenVPN instead of IPSec (which i did first) i had exactly the same problem.

    How can i analyze this problem?

    Regards and thanks,
    Markus



  • @om606
    Hey
    First of all,I would check the rules on the interface Lan Site A
    Is there any floating rules PF SiteA?
    I would check so :
    you start ping 192.168.30.0 / 24 -- > 10.10.10.0/24 (not IP OPT1 Site B)
    1.Site A (Diagnostics / packet capture)
    interface WAN
    Address Family IPV4
    Protocol ESP
    Host IP address of the second side of the tunnel

    Show me what happens at this moment

    Ideally , you should see the IP packet exchange with the other side of the tunnel .
    For example,
    0_1549713506920_093deebc-cd9d-4f27-ba21-40e2a4d11ef3-image.png

    Now me interests, whether leave IP packets towards SiteB .


  • LAYER 8 Netgate

    If you can ping the far side pfSense interface address but not the hosts behind it it is almost always a firewall on the target host itself (think windows firewall).

    That or their default gateway is not the pfSense firewall. Since traffic works the other way that pretty much rules that out.


Log in to reply