Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cloud pfsense IPSec tunnel is up and only responder gateway is pingable and 1 way

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 319 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      ian2u
      last edited by

      Hello,

      I am newbie to IPSec, I have the following setup:

      initiator: home pfsense gateway 10.71.2.0/24
      responder: pfsense hosted at Digital Ocean droplet, 10.120.0.0/20

      The tunnel is established and up (please see image attached).
      IPSec Status.png
      Observation:

      • I can ping from a windows 10 client behind 10.71.2.0 to the remote pfsense's LAN address, i.e. 10.120.0.2, but ping from 10.120.0.2 to home windows 10 client is not working

      • I can't ping any host behind the 10.120.0.0. I confirmed that they are ping-able between each other, i.e., 10.120.0.2 <-> 10.120.0.3.

      • system logs do not seem to indicate any mismatch error (attached)
        IPSec Logs.png

      • firewall rules is pretty open, any/any on both ipsec. also checked/confirmed no other firewall rules at play with the digital ocean virtual private cloud.

      Any hints to point to where I should look at is very much appreciated!

      1 Reply Last reply Reply Quote 0
      • I
        ian2u
        last edited by

        Debug 1:

        Due to the cloud default VPC setup, the default route of the backend hosts are not set to the pfsense gateway. I am able to ping any hosts behind the gateway after setting the correct default route, and vice versa. However, any other services doesn't seem to work correctly. For example, ssh took more than a minute to see the prompt for checking the remote host key, and another minute to prompt for the password. It is definitely not normal to wait for minutes for the ssh password prompt, although ping responded normally. It even connected, but as if it is in slow motion, even worst than an old PBX 128k baud modem rate!

        I am checking at the firewall rules closely for any other hints, but if firewall is blocking, I shouldn't be able to connect at all? Or is this still routing issue, e.g. the packet is routed all incorrectly?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.