Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Issue with connectivity over IPSec

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 538 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • maverickwsM Offline
      maverickws
      last edited by

      Hi guys,

      I'm having an issue as follows, the firewalls are both pfSense:

      Lets say two locations, location A and B
      location A has 1 network: 192.168.0.254/24
      location B has 4 networks: 10.1.0.0/24 10.1.1.0/24 10.1.2.0/24 and 10.1.3.0/24

      Location A and B are connected using IPSec Site-to-Site.
      Phase 2 settings pass the subnets individually (4 /24 networks).

      From any machine on location A I can access everything on location B.

      However, from the pfSense on location A I cannot access any machine on the location B.

      I cannot ping from the pfSense A to a machine behind pfSense B;
      I cannot get access to services from machines behind pfSense B from pfSense A.

      One major issue this is causing is that our LDAP auth stopped working. As access to all services from machines behind pfSense B are working for machines behind pfSense A, this was overlooked during the holidays, but right now I'm not being able to sort this out.

      Accessing the pfSense via CLI and doing the commands (dig, ping) from inside the shell don't work either.

      Firewall Logs are clear. Any idea or clue why?

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        It's because pfSense uses the logically closest interface to connect from which is usually WAN so not covered by the P2.
        When you are pinging select LAN (or whatever subnet is covered) as the source IP.

        For other things use this workaround:
        https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/access-firewall-over-ipsec.html

        Or use something route based like VTI.

        Steve

        maverickwsM 1 Reply Last reply Reply Quote 0
        • maverickwsM Offline
          maverickws @stephenw10
          last edited by maverickws

          Hi @stephenw10 thank you for your reply.

          But from what I understand from the link you shared its aimed at a situation different from mine.
          What I get from the link is a solution for those who are unable to access services from the firewall itself, which in this situation I would say it's trying to access services on pfSense B.

          However, I am trying to access services BEHIND pfSense B, not the firewall itself.

          Let's say I have a domain override on the DNS Resolver of pfSense A for abcd.com and say its authoritative server is 10.1.0.123 behind pfSense B. How come the pfSense doesn't know how to send the traffic?

          The suggested method of adding a gateway worked. Now I only have some questions left, like "why was it working before and it stopped" - given that this is the first time we added a gateway to access services on the other side, and also before the LDAP authentication was working fine, then it stopped, which struck us as weird. I also found weird that such behaviour that was identified in 2004 is still unattended in 2021... but well...

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            If you are opening connections to or from the firewall itself over policy based IPSec you will probably hit this.

            For Unbound on the firewall you can set the outbound interface to be LAN and the IPSec daemon will catch it.

            For some services, such as LDAP, you cannot set the source IP is uses so you must use that workaround.

            Or, as I said, use a route based tunnel and the firewall traffic will use it like any other traffic.

            Steve

            maverickwsM 1 Reply Last reply Reply Quote 1
            • maverickwsM Offline
              maverickws @stephenw10
              last edited by

              @stephenw10 thanks Stephen, the solution of creating a gw using LAN and setting up a static route worked well. Thank you for the quick reply and support!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.