Tunnel is ok but not ping



  • Hi,
    I made a vpn "site to site" with ipsec, on the one hand I have pfsense on the other a Netgate appliance.
    The tunnel is established correctly and from the network behind pfsense I can ping and access the PC while from the remote network (Lan behind the netgate) you can not ping and you can not access in rdp protocol to the server behind pfsense.
    the firewall rule I created on pfsense, about ipsec interface is:
    protocol: ipv4*
    source: any
    port: any
    destination: any

    Do I have to create some other firewall rule?
    Thanks.



  • @sasa1
    Hey
    VTI or IPSEC ?
    What is the IP address of the remote computer that needs access ?
    What's the address of the RDP server ?
    Show phase 2 settings for both sides of the tunnel



  • Hi,
    IPSec protocol.
    The IP Address is:
    192.168.2.2
    the phase2 configuration (side pfsense) in attach.
    On the remote side I haven't the ipsec configuration.
    Thanks.
    0_1551300139570_phase2.PNG



  • @sasa1
    Ok
    and the second ip address what ?
    What are the rules on the LAN interface behind the netgate ?



  • the second IP, behind Netgate, is:
    192.168.0.1
    and from rdp server (behind pfsense) the ping to:
    192.168.0.1
    is ok.
    Side Netgate I haven't configuration file.
    Thanks.



  • Hi,
    I'm sorry but I have provided incorrect information, on the other side there is a Fortigate.
    When I try to ping from fortigate to pfsense the traffic I see on pfsense is:
    15:18:07.524843 (authentic,confidential): SPI 0xcad9099b: IP 192.168.0.1 > 192.168.2.2: ICMP echo request, id 6656, seq 0, length 64
    15:18:08.524267 (authentic,confidential): SPI 0xcad9099b: IP 192.168.0.1 > 192.168.2.2: ICMP echo request, id 6656, seq 256, length 64
    15:18:09.524405 (authentic,confidential): SPI 0xcad9099b: IP 192.168.0.1 > 192.168.2.2: ICMP echo request, id 6656, seq 512, length 64
    15:18:10.524713 (authentic,confidential): SPI 0xcad9099b: IP 192.168.0.1 > 192.168.2.2: ICMP echo request, id 6656, seq 768, length 64
    15:18:11.524393 (authentic,confidential): SPI 0xcad9099b: IP 192.168.0.1 > 192.168.2.2: ICMP echo request, id 6656, seq 1024, length 64

    Thanks.



  • @sasa1
    Hey
    That means the tunnel is working.
    I would check now the traffic on the PFSENSE LAN interface
    Leave the packet in the direction of 192.168.2.2 and comes the answer ?



  • Hi,
    the problem was solved by modifying, in phase 2, the protocol and Auth Methods as the one configured on pfsense were not compatible with those used on the fortigate.
    Thanks.


Log in to reply