Problem with IPSec routing
Hello, I have problem with routing in IPSec.
I can ping 10.10.10.10 (IPSEC remote host) from pfsense, but can't ping 10.10.10.10 from LAN.
Internet from LAN (192.168.0.2) working.
Thanks for help.
djair last edited by
Experimenta coloca uma regra em que quando a origem for a LAN e o destino for a rede do IPSEC passe pelo gateway do IPSEC.
Eduard_Spera last edited by Eduard_Spera
ok, let's start again with new system and new adresses
SiteA - 192.168.100.1 and network 192.168.100.0/24 (PfSense)
SiteB - 10.250.50.1 and network 10.250.50.0/24 (PaloAlto)
VPN tunnel works correctly. I can ping from gateway siteA to siteB and from siteB to gateway in SiteA.
I can't ping from my computer behind gateway siteA to siteB.
I have no idea what is wrong, please help.
What does the Firewall log say?
And do you have any rule on IPSec to allow incomming traffic from the other sites network?
My firewall settings for WAN, LAN and IPSec:
and logs from firewall:
Ok, I think that looks fine, I guess it's a local firewall software that is blocking then, try to teporarily disable it and see if it works then.
@no_jah what local firewall you are talking about?
For instance Windows firewall.
@no_jah but why this Windows reply for ping from gateway SiteA?
This is states with ping from gateway siteA and host behind gateway:
(green is ok, red is bad)
I see you got a static route?
Normally you don't need a static route for a site to site IPSec, it's handled in the IPSec phase 2, how does your IPSec tunnel setup looks like?
Yes, i have static route, without this entry i can't ping from gateway.
First off I think you should use WAN interface at phase 1 instead of your current LAN, and then you could probably skip the static route too.
I change to WAN, established tunel and nothing change, without static route can't ping from gateway and from host too.
Strange I use basically the same settings for a couple of my IPSec tunnels, but I use dynamic DNS named instead of IP-adresses, that shouldn't make any differens.
This is how a tunnel between my main pfSense and my virtual test pfSense looks like:
Hmm, i think that is problem with palo alto.
I established different tunnel, with my second pfsense, and all works properly.
I will continue working tomorrow
@no_jah thank You very much
You're welcome, and btw. to be able to ping from pfSense interface to the PA router without static route you need to select LAN "Source address" at Diagnostics / Ping.
yes, it's work ;)
and ping with -S flag work too without static route