Problem with IPSec routing
-
Hello, I have problem with routing in IPSec.
I can ping 10.10.10.10 (IPSEC remote host) from pfsense, but can't ping 10.10.10.10 from LAN.
Internet from LAN (192.168.0.2) working.Thanks for help.
-
@Eduard_Spera
Experimenta coloca uma regra em que quando a origem for a LAN e o destino for a rede do IPSEC passe pelo gateway do IPSEC. -
ok, let's start again with new system and new adresses
SiteA - 192.168.100.1 and network 192.168.100.0/24 (PfSense)
SiteB - 10.250.50.1 and network 10.250.50.0/24 (PaloAlto)
VPN tunnel works correctly. I can ping from gateway siteA to siteB and from siteB to gateway in SiteA.
I can't ping from my computer behind gateway siteA to siteB.
My settings:
Static Routes:
NAT:
States:
I have no idea what is wrong, please help.
-
What does the Firewall log say?
And do you have any rule on IPSec to allow incomming traffic from the other sites network? -
My firewall settings for WAN, LAN and IPSec:
and logs from firewall:
-
Ok, I think that looks fine, I guess it's a local firewall software that is blocking then, try to teporarily disable it and see if it works then.
-
@no_jah what local firewall you are talking about?
-
For instance Windows firewall.
-
@no_jah but why this Windows reply for ping from gateway SiteA?
This is states with ping from gateway siteA and host behind gateway:
(green is ok, red is bad)
-
I see you got a static route?
Normally you don't need a static route for a site to site IPSec, it's handled in the IPSec phase 2, how does your IPSec tunnel setup looks like? -
Yes, i have static route, without this entry i can't ping from gateway.
PHASE 1
PHASE 2
-
First off I think you should use WAN interface at phase 1 instead of your current LAN, and then you could probably skip the static route too.
-
I change to WAN, established tunel and nothing change, without static route can't ping from gateway and from host too.
-
Strange I use basically the same settings for a couple of my IPSec tunnels, but I use dynamic DNS named instead of IP-adresses, that shouldn't make any differens.
This is how a tunnel between my main pfSense and my virtual test pfSense looks like:
Phase 1
Phase 2
-
Hmm, i think that is problem with palo alto.
I established different tunnel, with my second pfsense, and all works properly.
I will continue working tomorrow
@no_jah thank You very much -
You're welcome, and btw. to be able to ping from pfSense interface to the PA router without static route you need to select LAN "Source address" at Diagnostics / Ping.
-
yes, it's work ;)
and ping with -S flag work too without static route