IPSec S2S up but no outbound Traffic



  • VPN Tunnel is successfully connected, Phase1, and Phase2 up. I can see SADs & SPDs (in Phase2 we have allowed only single IP Addresses from both sides, not the entire subnets)
    Inside Advance Settings , NAT Reflection mode for port forwards is set to Pure NAT & Enable automatic outbound NAT for Reflection is enabled.

    In the Firewall-->Rules-->IPSec TAB IPv4 Source:Port ANY Dest:Port LAN net:ANY

    Inside the NAT --> Outbound --> is set to : Automatic outbound NAT rule generation. (IPsec passthrough included)

    The remote side is trying to ping my end of local IP, He's not getting any response while inside the Status menu IPsec-->child SA shows increment in-bytes & packets-in while there is no increment in Out-bytes & Packets-out.

    inside the log --> firewall --> I can see the remote host ping request being passed on to my localhost machine. (But he's not getting any reply, only timeout)

    When I try to ping remote host, no replay, no Out-byte increments.

    What I have missed?

    Update:
    When in Advance -->Firewall & NAT--> I enable checkmark on Disable all packet filtering.* *, then I can ping remote host, but the remote host still cannot ping my localhost.

    Update 2:
    When I connect with my Pfsense IPSec from an external WAN connection using the same rules/parameters via ShrewSoft VPN Client for Windows, it works perfectly fine, we can ping each other & access other required services such as web.

    but it's not working with the IPSec of PALO ALTO Firewall

    Update 3:
    The issue is resolved. It was the configuration issue between Pfsense & Palo Alto IPSec Phase2 tunnel.

    Remote WAN IP : x.x.x.x
    Remote Local IP: 173.30.144.90 (this IP was given to me by Palo Alto operator)

    MY WAN IP: x.x.x.x
    My Local IP: 173.16.0.25

    I configured it as mentioned, both P1 & p2 come up.. when remote end tries to ping my end, he couldn't, when I captured IPSec Interface traffic, the ICMP Packets were coming from 173.130.144.90 instead of 173.30.144.90.
    I modified my Phase2 & added 173.130.144.90. The tunnel is UP, and the remote end can ping my local IP.
    I still cannot ping remote IP, But it's okay I only wanted one-way traffic.



  • @enthu19
    Hello

    1. Show phase 2 settings and rules on Lan and IPSEC interfaces
    2. There is no need to configure NAT OUTBOUND for IPSec tunnel (/Firewall/NAT/Outbound)
    3. There is no need to configure NAT Reflection for IPSec tunnel.

Log in to reply