Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec tunnel setup, cannot ping all subnets

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 344 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      davige101
      last edited by

      Hello all. I have spent two days on this, and researched everything, and I am at a loss. I just hope this will be easy.

      I have Site A and Site B. Need to tunnel between them.

      Both sites use identical pFsense routers, v 2.4.5 release-p1

      Site A: LAN is 10.0.0.0/28 (pFsense is 10.0.0.2) (NOTE: this is on an OPT port, if that matters. The main LAN is 192.168.211.x/24, but I am, not tunneling on this subnet.)

      Site B: LAN is 192.168.1.0/24

      I have successfully set up the IPSec tunnel, matched the Phase 2's, etc, added firewall 'any' permits on the IPSec rules, I did everything that the publications here say, and also followed a few videos online, and the connection is established.

      My problem is, I ping from Site B to Site (using the pFsense Diagnostics>Ping), it does NOT ping back the Site A router BUT it does ping the router from a command prompt. (???) There are at least 6 other 10.0.0.x endpoints, but it barely sees the remote router.

      If I do the same ping from Site A to Site B, nothing.

      It seems to me its a routing/NAT issue, but I have tried a dozen things, and nothing works, or is at least is clear to my old brain. So if someone can kindly, clearly, explain what I am doing wrong and how to fix, it would be most appreciated, as the doc's and the vid's I watched do not show anymore then just setting up the IPSec and away you should go.

      In a nutshell: I cannot ping the Site A 10.0.0.0/28 LAN from Site B, and I cannot ping Site B 192.168.1.0/24 from Site A.

      Your help is most appreciated, thanks.

      davige101

      1 Reply Last reply Reply Quote 0
      • D
        davige101
        last edited by

        I finally resolved this. I had to create a LAN Gateway on Site A side because I have two LAN subnets on this, 192.168.211.x/24 and 10.0.0.x/28. I was only concerned with the 10. subnet, so I created gateway for it only as probably traffic was trying to pass over the other LAN segment, not sure. (I am not great this stuff...)

        Then on the Site B router, I had to add a manual NAT for its LAN network to allow the 10.0.0.0/28 traffic over it. Now I can successfully reach all endpoints for both networks.

        Man, that was ALOT of work. Now I get why those crappy Cisco RV routers are so popular, as it seems it creates the NAT and routes for you.

        davige101

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.