Cloud pfsense IPSec tunnel is up and only responder gateway is pingable and 1 way
-
Hello,
I am newbie to IPSec, I have the following setup:
initiator: home pfsense gateway 10.71.2.0/24
responder: pfsense hosted at Digital Ocean droplet, 10.120.0.0/20The tunnel is established and up (please see image attached).
Observation:-
I can ping from a windows 10 client behind 10.71.2.0 to the remote pfsense's LAN address, i.e. 10.120.0.2, but ping from 10.120.0.2 to home windows 10 client is not working
-
I can't ping any host behind the 10.120.0.0. I confirmed that they are ping-able between each other, i.e., 10.120.0.2 <-> 10.120.0.3.
-
system logs do not seem to indicate any mismatch error (attached)
-
firewall rules is pretty open, any/any on both ipsec. also checked/confirmed no other firewall rules at play with the digital ocean virtual private cloud.
Any hints to point to where I should look at is very much appreciated!
-
-
Debug 1:
Due to the cloud default VPC setup, the default route of the backend hosts are not set to the pfsense gateway. I am able to ping any hosts behind the gateway after setting the correct default route, and vice versa. However, any other services doesn't seem to work correctly. For example, ssh took more than a minute to see the prompt for checking the remote host key, and another minute to prompt for the password. It is definitely not normal to wait for minutes for the ssh password prompt, although ping responded normally. It even connected, but as if it is in slow motion, even worst than an old PBX 128k baud modem rate!
I am checking at the firewall rules closely for any other hints, but if firewall is blocking, I shouldn't be able to connect at all? Or is this still routing issue, e.g. the packet is routed all incorrectly?