Ipsec tunnel connecting but unable to ping

neo.matrix_23

@focalguy:

@blak111:

Make sure you have IPSec allow rules on both ends.

Do you have rules to allow traffic on the IPSEC interfaces on both sides?

You do need to add IPSEC firewall rule (interface) on both sides. Add a rule to allow any protocol, any ports, any source & any destination and test PING again. One thing I want to point out is PING is NOT on TCP protocol but on ICMP and very often, when you add a new rule, TCP is selected by default.

stewie

Hi.

Having the same problem.
SA is established. I setup a pass-any-from-any-to-any firewall rule on each sites ipsec tab.
Logging ist enabled and status firewall shows blocked packets. this is really confusing. why does a pass rule log blocked packages?
the only special thing in this setup is, that on one site VPN comes over opt1. Loadbalancing is configured.

cheers

stewie

jimp

@stewie:

Logging ist enabled and status firewall shows blocked packets. this is really confusing. why does a pass rule log blocked packages?

It doesn't. If a blocked packet is logged, your rule did not get matched. Check your rules again. Especially make sure the protocol is set to ANY and not TCP.

stewie

I removed all rules, rebooted and added them again as mentioned in an other thread. But no success.
I am missunderstanding something totally, or PF is buggy as hell.

As I said SA is established, which normaly means that routing is setup by phase 2. Both sites have pass-any-from-any-to-any firewall rule on the ipsec tabs.

site1 LAN: 192.168.200.0/24 with host 192.168.200.5
site2 LAN: 192.168.201.0/24 with host 192.168.201.1
this what was tcpdump shows on the internal ifs pinging from site2 to site1
on site1:
22:08:03.699497 IP 192.168.201.1 > 192.168.200.5: ICMP echo request, id 512, seq 14926, length 40
on site2:
22:08:03.723041 IP 192.168.201.1 > 192.168.200.5: ICMP echo request, id 512, seq 14926, length 40
22:08:03.723568 IP 192.168.200.5 > 192.168.201.1: ICMP echo reply, id 512, seq 14926, length 40

On site1 filter.log shows pass logs for icmp packets that came from the keep alive setting. Cant see my logs matching my pass rule. site2 shows no icmp pass logs at all.

???

stewie

@jimp

its set to any. i checked it more than twice.

jimp

@stewie:

I am missunderstanding something totally, or PF is buggy as hell.

The former. It works quite well when setup properly.

Are you pinging from the firewall itself or a client PC behind the firewall?

If you are trying to ping from the firewall, that won't work unless you either add a proper static route, or set the ping source by using ping -S <lan ip=""><remote lan="" ip="">.</remote></lan>

stewie

I am pinging from host to host behind the firewalls.
site1 has 192.168.200.254 and site2 has 192.168.201.254.

I guess it did something wrong. perhaps it has something to do with my routing.
Ipsec is running over WAN2 or OPT1. I didnt add any static routes yet.

jimp

@stewie:

I guess it did something wrong. perhaps it has something to do with my routing.
Ipsec is running over WAN2 or OPT1. I didnt add any static routes yet.

You may need to take care of this first. Also ensure that IPsec is set to actually use that interface. It may be trying to send the traffic out of WAN and not WAN2. An easy test would be to build the tunnel on the WAN circuit instead and see if it works there.

stewie

Hi jimp.

It works with WAN instead of OPT1. But I cant keep it like this.
WAN1 is a pppoe ADSL with low upstream and WAN2 ist SDSL with static IP and a bit more upstream.
OPT1 does not support pppoe, this is why did it like this. I also need to keep the WAN Loadbalancingm which btw is working out lovely.

How can I troubleshoot this routing and/or filter problem with IPSec over OPT1/WAN2?

cheers

Stewie

stewie

Hi.

Does anyone know howto route vpn over OPT1/WAN2?
I really need to do  it.

cheers.

stewie