Problem with IPSec routing
-
For instance Windows firewall.
-
@no_jah but why this Windows reply for ping from gateway SiteA?
This is states with ping from gateway siteA and host behind gateway:
(green is ok, red is bad)
-
I see you got a static route?
Normally you don't need a static route for a site to site IPSec, it's handled in the IPSec phase 2, how does your IPSec tunnel setup looks like? -
Yes, i have static route, without this entry i can't ping from gateway.
PHASE 1
PHASE 2
-
First off I think you should use WAN interface at phase 1 instead of your current LAN, and then you could probably skip the static route too.
-
I change to WAN, established tunel and nothing change, without static route can't ping from gateway and from host too.
-
Strange I use basically the same settings for a couple of my IPSec tunnels, but I use dynamic DNS named instead of IP-adresses, that shouldn't make any differens.
This is how a tunnel between my main pfSense and my virtual test pfSense looks like:
Phase 1
Phase 2
-
Hmm, i think that is problem with palo alto.
I established different tunnel, with my second pfsense, and all works properly.
I will continue working tomorrow
@no_jah thank You very much -
You're welcome, and btw. to be able to ping from pfSense interface to the PA router without static route you need to select LAN "Source address" at Diagnostics / Ping.
-
yes, it's work ;)
and ping with -S flag work too without static route