Traffic not routing over Site to Site Tunnel with NAT



  • I don't do a lot of work with pfsense but I have a client who asked me to setup a site to site VPN for them. I've actually successfully setup other S2S VPN's on this same box to other companies but it's been a long time and I seem to be missing/forgetting something. I worked with the other company (the other side of the tunnel) to get the tunnel settings correct and the tunnel is up but I can't get traffic to route across the tunnel. 0 packets are going out when trying to ping.

    The setup is one where all of our devices 172.22.5.x/24 just need access to one of theirs 172.22.20.4/32. The 22's match so we are trying to use NAT on the tunnel (addresses of 192.168.10.X). I entered that on the Phase2 settings and setup a 1:1 rule. When I look at the Firewall/Rules/IPSEC I have a rule that will allow traffic from Source - 172.22.5.0/24 to Destination 172.22.20.4. (I also temporarily did any/any/any with the same result). When I tracert from a device on the 172.22.5.x network, it hits our core switch, then the pfsense box and dies. I think my tunnel settings are OK but pfsense is just not routing. In my routes I created two static routes 172.22.20.x to go out the WAN interface that the tunnel is setup on and one for the public IP address of the other side of the tunnel the same. I don't have an IPSEC interface like most posts I've seen. Glad to post pics or whatever but this one is frustrating me. I did 6 other Site-to-Site VPN's on this box a year or two ago and they are all fine - something is just off on this one.



  • My guess is that you setup a policy-based ipsec and not a route-based VTI ipsec. VTI=virtual tunnel interface, hence the interface shows up for those users.

    As for NAT, I recently read that it is now entered in the phase 2 page. The 3rd option down should be where you enter NAT.

    If you have further issues, post the p1/p2, static routes, and related firewall rules.


Log in to reply