Issue with connectivity over IPSec

maverickws

Hi guys,

I'm having an issue as follows, the firewalls are both pfSense:

Lets say two locations, location A and B
location A has 1 network: 192.168.0.254/24
location B has 4 networks: 10.1.0.0/24 10.1.1.0/24 10.1.2.0/24 and 10.1.3.0/24

Location A and B are connected using IPSec Site-to-Site.
Phase 2 settings pass the subnets individually (4 /24 networks).

From any machine on location A I can access everything on location B.

However, from the pfSense on location A I cannot access any machine on the location B.

I cannot ping from the pfSense A to a machine behind pfSense B;
I cannot get access to services from machines behind pfSense B from pfSense A.

One major issue this is causing is that our LDAP auth stopped working. As access to all services from machines behind pfSense B are working for machines behind pfSense A, this was overlooked during the holidays, but right now I'm not being able to sort this out.

Accessing the pfSense via CLI and doing the commands (dig, ping) from inside the shell don't work either.

Firewall Logs are clear. Any idea or clue why?

stephenw10

It's because pfSense uses the logically closest interface to connect from which is usually WAN so not covered by the P2.
When you are pinging select LAN (or whatever subnet is covered) as the source IP.

For other things use this workaround:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/access-firewall-over-ipsec.html

Or use something route based like VTI.

Steve

maverickws

Hi @stephenw10 thank you for your reply.

But from what I understand from the link you shared its aimed at a situation different from mine.
What I get from the link is a solution for those who are unable to access services from the firewall itself, which in this situation I would say it's trying to access services on pfSense B.

However, I am trying to access services BEHIND pfSense B, not the firewall itself.

Let's say I have a domain override on the DNS Resolver of pfSense A for abcd.com and say its authoritative server is 10.1.0.123 behind pfSense B. How come the pfSense doesn't know how to send the traffic?

The suggested method of adding a gateway worked. Now I only have some questions left, like "why was it working before and it stopped" - given that this is the first time we added a gateway to access services on the other side, and also before the LDAP authentication was working fine, then it stopped, which struck us as weird. I also found weird that such behaviour that was identified in 2004 is still unattended in 2021... but well...

stephenw10

If you are opening connections to or from the firewall itself over policy based IPSec you will probably hit this.

For Unbound on the firewall you can set the outbound interface to be LAN and the IPSec daemon will catch it.

For some services, such as LDAP, you cannot set the source IP is uses so you must use that workaround.

Or, as I said, use a route based tunnel and the firewall traffic will use it like any other traffic.

Steve

maverickws

@stephenw10 thanks Stephen, the solution of creating a gw using LAN and setting up a static route worked well. Thank you for the quick reply and support!