Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ipsec tunnel connecting but unable to ping

    Scheduled Pinned Locked Moved IPsec
    15 Posts 7 Posters 7.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      neo.matrix_23
      last edited by

      @focalguy:

      @blak111:

      Make sure you have IPSec allow rules on both ends.

      Do you have rules to allow traffic on the IPSEC interfaces on both sides?

      You do need to add IPSEC firewall rule (interface) on both sides. Add a rule to allow any protocol, any ports, any source & any destination and test PING again. One thing I want to point out is PING is NOT on TCP protocol but on ICMP and very often, when you add a new rule, TCP is selected by default.

      1 Reply Last reply Reply Quote 0
      • S
        stewie
        last edited by

        Hi.

        Having the same problem.
        SA is established. I setup a pass-any-from-any-to-any firewall rule on each sites ipsec tab.
        Logging ist enabled and status firewall shows blocked packets. this is really confusing. why does a pass rule log blocked packages?
        the only special thing in this setup is, that on one site VPN comes over opt1. Loadbalancing is configured.

        cheers

        stewie

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          @stewie:

          Logging ist enabled and status firewall shows blocked packets. this is really confusing. why does a pass rule log blocked packages?

          It doesn't. If a blocked packet is logged, your rule did not get matched. Check your rules again. Especially make sure the protocol is set to ANY and not TCP.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • S
            stewie
            last edited by

            I removed all rules, rebooted and added them again as mentioned in an other thread. But no success.
            I am missunderstanding something totally, or PF is buggy as hell.

            As I said SA is established, which normaly means that routing is setup by phase 2. Both sites have pass-any-from-any-to-any firewall rule on the ipsec tabs.

            site1 LAN: 192.168.200.0/24 with host 192.168.200.5
            site2 LAN: 192.168.201.0/24 with host 192.168.201.1
            this what was tcpdump shows on the internal ifs pinging from site2 to site1
            on site1:
            22:08:03.699497 IP 192.168.201.1 > 192.168.200.5: ICMP echo request, id 512, seq 14926, length 40
            on site2:
            22:08:03.723041 IP 192.168.201.1 > 192.168.200.5: ICMP echo request, id 512, seq 14926, length 40
            22:08:03.723568 IP 192.168.200.5 > 192.168.201.1: ICMP echo reply, id 512, seq 14926, length 40

            On site1 filter.log shows pass logs for icmp packets that came from the keep alive setting. Cant see my logs matching my pass rule. site2 shows no icmp pass logs at all.

            ???

            1 Reply Last reply Reply Quote 0
            • S
              stewie
              last edited by

              @jimp

              its set to any. i checked it more than twice.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                @stewie:

                I am missunderstanding something totally, or PF is buggy as hell.

                The former. It works quite well when setup properly.

                Are you pinging from the firewall itself or a client PC behind the firewall?

                If you are trying to ping from the firewall, that won't work unless you either add a proper static route, or set the ping source by using ping -S <lan ip=""><remote lan="" ip="">.</remote></lan>

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • S
                  stewie
                  last edited by

                  I am pinging from host to host behind the firewalls.
                  site1 has 192.168.200.254 and site2 has 192.168.201.254.

                  I guess it did something wrong. perhaps it has something to do with my routing.
                  Ipsec is running over WAN2 or OPT1. I didnt add any static routes yet.

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    @stewie:

                    I guess it did something wrong. perhaps it has something to do with my routing.
                    Ipsec is running over WAN2 or OPT1. I didnt add any static routes yet.

                    You may need to take care of this first. Also ensure that IPsec is set to actually use that interface. It may be trying to send the traffic out of WAN and not WAN2. An easy test would be to build the tunnel on the WAN circuit instead and see if it works there.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • S
                      stewie
                      last edited by

                      Hi jimp.

                      It works with WAN instead of OPT1. But I cant keep it like this.
                      WAN1 is a pppoe ADSL with low upstream and WAN2 ist SDSL with static IP and a bit more upstream.
                      OPT1 does not support pppoe, this is why did it like this. I also need to keep the WAN Loadbalancingm which btw is working out lovely.

                      How can I troubleshoot this routing and/or filter problem with IPSec over OPT1/WAN2?

                      cheers

                      Stewie

                      1 Reply Last reply Reply Quote 0
                      • S
                        stewie
                        last edited by

                        Hi.

                        Does anyone know howto route vpn over OPT1/WAN2?
                        I really need to do  it.

                        cheers.

                        stewie

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.