IPSEC VPN terminating on pfSense - LAN transit network to internal LAN


  • Hi,

    I have having a brain blowup on a test VPN of a new pfSense 2.4.5 HA install.

    IPSEC VPN between 2 offices using pfSense 2.4.*. Tunnel is established phase 1 and phase 2.

    The local side is a pfSense 2.4.5 HA cluster established to eventually replace the existing gateway - cisco ASA 5520. The local pfSense has its own transit LAN 10 net into the internal network which terminates into a Cisco 3750 with a routed port back to the pfSense box. IP routing is enabled on the 3750 and a static route has been added to the main internal LAN router as well as the Cisco ASA for the Cisco 3750 acting as the gateway for the pfSense cluster.

    I can ping from the remote side of the tunnel to the INTERNAL host on the local side, I can see the traffic enter the IPSEC interface and the LAN interface IN, and the LAN interface OUT, but I never receive a response back from the internal host.

    All internal LAN networks have a static route created on the local pfSense side and point to the 3750 gateway address (.1).

    Should I add an ACL on the 3750 or a static route to the internal host I am trying to communicate with? I have the IPSEC rules opened up and manual outbound NAT is configured as per the netgate docs.

    Thanks for any input.