Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec routing issue (I think)

    Scheduled Pinned Locked Moved IPsec
    3 Posts 1 Posters 758 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      ProperCactus Rebel Alliance
      last edited by ProperCactus

      Hi,

      I have an IPSec S2S between my on-prem pfsense device and a little Ubuntu VM in Azure running strongSwan.

      The tunnel is connecting nicely, and I can ping from the Azure side both of the P2 tunnels that I created for 192.168.2.0/24 and 192.168.3.0/24.

      The strongSwan host in Azure is 10.1.0.254 and it's serving the 10.1.0.0/17 subnet to the tunnel.

      Pinging the Azure host from either the pfsense device or a device on 192.168.2.0/24 doesn't work. So I can ping in from Azure, but not png back to Azure.

      I feel like this is an issue with my routing on the pfsense device, because I had this issue with WireGuard previously and as such I had to create a gateway from the WireGuard interface and define a static route to that gateway to get it to work.

      With IPSec however, there is no interface presented for me to create a gateway, and therefore I am unable to create any static routes. So how am I supposed to route traffiv to 10.1.0.0/17 over my IPSec tunnel?

      Screen Shot 2021-07-08 at 11.36.44 pm.png

      Also I notice this on the pfsense side:

      Screen Shot 2021-07-08 at 11.58.58 pm.png

      I don't know what that is but it's automatically done it so I assume it's a good thing?

      Eh I informed myself on shunting, it makes sure inter-lan packets ain't going through the tunnel so it is a good thing.

      1 Reply Last reply Reply Quote 0
      • P Offline
        ProperCactus Rebel Alliance
        last edited by

        Ok so after a metric f ton of googling, I came across this post:

        https://forum.netgate.com/topic/118667/resolved-ipsec-tunnel-ok-but-routers-can-t-ping-each-others/4

        Which points to this article: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/access-firewall-over-ipsec.html

        Which describes the procedure of making the static route as defining the LAN interface as a gateway, and assigning routes to it. I did that and at least i can ping through the tunnel to the Azure host now.

        Now I just need to be able to ping past the Azure host.

        Screen Shot 2021-07-09 at 2.55.08 am.png

        1 Reply Last reply Reply Quote 0
        • P Offline
          ProperCactus Rebel Alliance
          last edited by

          Aaaaand pinging beyond the Azure host was, as per my gut feeling, I shouldn't have been relying on the little IP forwarding switch in Azure and it was solved by enabling IP forwarding on the Azure host directly:

          sudo nano /etc/sysctl.conf

          net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

          sudo sysctl -p

          Source: https://www.tecmint.com/setup-ipsec-vpn-with-strongswan-on-debian-ubuntu/

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.