Routing Traffic Between 2 PFsense and Remote Site IPSEC



  • Hello

    I have 2 pfSense that can talk together via Static routing. Everything work fine.
    But now I need to setup a remote site with a IPSEC VPN on pfSense1 and the remote site need to access some network on the pfSense2.

    The traffic is not passing from VPN to pfSense2 at this time, And I cannot find how I can fix that...



  • Maybe missing or wrong firewall rules on the virtual tunnel interface.
    Do you have a full established IPSec tunnel ?
    General Setup can be seen here:
    https://administrator.de/wissen/ipsec-vpn-praxis-standort-kopplung-cisco-ipcop-pfsense-fritzbox-297320.html
    Perhaps Google translator is your friend here.. ?!



  • @lfoerster

    IPSEC Tunnel is UP, can ping any IP on PFSENSE1
    PFSENSE1 can ping any IP on PFSENSE2 via Static Routing,
    But IPSEC cannot ping any IP on PFSENSE2...

    Rule are all OPEN on all interface (for testing purpose)



  • @fgunno said in Routing Traffic Between 2 PFsense and Remote Site IPSEC:

    PFSENSE1 can ping any IP on PFSENSE2 via Static Routing,

    Static routing is NOT necessary, cause tahts autmatically established in the IPsec phase 2 negotiation. Btw. you can proof that too in checking the pfSense routing table on both ends !
    Anyway...ich you can ping bith ends here on pFSense 1 and 2 then everything is fine ! You have your site 2 site VPN successfully established then !
    The question "But IPSEC cannot ping any IP on PFSENSE2..." is not understandable... The inner IPsec network is not relevant for the site to site connectivity in any ways ?!
    So what do you mean here ??



  • Pfsense 1 ans Pfsense2 are on same site.

    The IPsec VPN are on a remote site and connected via Static routing to Pfsense1.

    So the problem is that the remote site cannot ping to the pfsense2 on main site....



  • Did you follow there steps:
    IPsec site2site
    Usually its a no brainer. Click and it should work. With a simple single LAN on local and remote site NO addintional static routes are necessary ! Thats all handled automaticall by IPsec !

    If your tunnel is up an running then the only obstacle maybe a wrong or missing firewall rule here !
    You have to check 4 (four) interfaces here
    Rule on local LAN and local IPsec interface
    Rule on remote LAN and remote IPsec interface
    If in doubt use a simple "shotgun" rule with Source: any Destination: any on all interfaces to not create any trap here.



  • what did you see when you traceroute to IP DEST from some server connected to IPSEC VPN on PFSENSE1?



  • I had a similar issue. My advice is to make sure that the routes defined on PFSENSE2 include a route to your IPSEC subnet with PFSENSE1 as the gateway for that route.

    Ultimately, for me, what was happening is that PF1 correctly routed the traffic from the external VPN through to PF2, but PF2 didn't have a route back to the IPSEC subnet, so it didn't know where to send the response.

    See topic "Routing OpenVPN Clients to Tinc VPN" in this forum for more details.


Log in to reply