PFsense box can't ping WAN IP of IPSEC remote gateway



  • I'm trying to configure a PFsense box remotely. There is a WAN rule allowing our head office IP address to access the gui remotely, and that works fine, until I start setting up IPsec.

    I created a phase 1 tunnel with the remote gateway as our head office's WAN IP. Nothing else so far. No phase 2 settings, and the head office end hasn't been setup at all yet. As soon as I apply that, the pfsense box can no longer talk to head office.

    From the pfsense box, I can see packets coming in from head office for ICMP and webui and the firewall rules allowing them, but nothing ever goes out. From a host on the LAN side I can ping head office's WAN IP, but from the pfsense box itself I can't. The pfsense box can't talk to the head office WAN IP at all. The tunnel tries to connect but can't, which I expected...but that shouldn't block all communication to that remote gateway IP, should it?

    I have read through this page: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/accessing-firewall-services-over-ipsec-vpns.html, but that only seems to talk about accessing the LAN addresses at each end.

    If I temporarily change the remote gateway address in the IPSEC tunnel everything works. Or instead if I select "Responder Only", everything works. But why does the pfsense box lose it's ability to talk to the WAN address of head office? That traffic shouldn't be going over the IPSEC tunnel anyways?

    I expect once the tunnel is fully configured at both ends it will work properly...but I'm having a hard time wrapping my head around why it breaks at all with the tunnel not connected, and it's making remote setup a bit more difficult.


Log in to reply