How to let PFsense IPsec "Route Vti" interface response to PING?

bluegrass-168

Hi all,

I just have a Fortigate and building VPN between it.

The VPN is already up and operating well between two sites Lan subnets.

And I have a tunnel interface ip address on Fortigate as 169.254.0.1/32 while the remote tunnel interface is configured as 169.254.0.2/32 with static route also.

In the Pfsense side, I do the same reversed and confirm I am using 169.254.0.2 as source ip and able to ping the Fortigate side 169.254.0.1.

However, I can ping the 169.254.0.2 from Fortigate side.

I do confirm Fortigate is using 169.254.0.1 as src ip already from Debug level logging.

Please, someone advises how can I allow ping to the PFsense Vti interface.

jimp

You are using link-local APIPA addresses on that interface which are blocked by default. There is an option to allow the traffic, but it is hidden on current releases. We have added a GUI option on 2.5.0 and 2.4.5 to control it.

You can set it in the config using Diag > Command, in the PHP Execute box:

$config['system']['no_apipa_block'] = true;
write_config("Do not block APIPA");
send_event("filter reload");

bluegrass-168

@jimp

This works, thanks!