Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Tunnel IPsec working OK, cannot access remote host from local pfSense

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 334 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sebajm
      last edited by

      We have a pfSense firewall (Network: 172.16.0.0/20) connected to a FortiGate firewall (Network: 172.16.16.0/20) using IPsec.

      We can access hosts on the 172.16.16.0/20 network from any host on the 172.16.0.0/20 network, except from the pfSense firewall itself (em2: 172.16.2.1, VIP: 172.16.2.3).

      The pfSense firewall has its default gateway set to the WAN interface. When we capture the traffic, we observe that:

      [2.3.3-RELEASE][root@xxxx]/root: tcpdump -n -i em2 icmp and dst 172.16.19.14
      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
      listening on em2, link-type EN10MB (Ethernet), capture size 65535 bytes
      10:10:35.958694 IP wanip > 172.16.19.14: ICMP echo request, id 36519, seq 6, length 64
      10:10:36.959840 IP wanip > 172.16.19.14: ICMP echo request, id 36519, seq 7, length 64
      10:10:37.965529 IP wanip > 172.16.19.14: ICMP echo request, id 36519, seq 8, length 64
      

      The traffic is being sent over the WAN interface.

      We added a static route:

      172.16.16.0/20	172.16.2.3	UGS	13332	1500	em1
      

      However, now when we ping from any host in the 172.16.0.0/20 network, we encounter the following issue:

      xxxxx:~$ ping 172.16.18.4
      PING 172.16.18.4 (172.16.18.4) 56(84) bytes of data.
      From 172.16.2.1 icmp_seq=1 Redirect Host(New nexthop: 172.16.18.4)
      64 bytes from 172.16.18.4: icmp_seq=1 ttl=62 time=4.87 ms
      From 172.16.2.1 icmp_seq=2 Redirect Host(New nexthop: 172.16.18.4)
      64 bytes from 172.16.18.4: icmp_seq=2 ttl=62 time=5.04 ms
      From 172.16.2.1 icmp_seq=3 Redirect Host(New nexthop: 172.16.18.4)
      64 bytes from 172.16.18.4: icmp_seq=3 ttl=62 time=5.35 ms
      

      Could you please assist us in resolving this issue?

      Thanks!

      S 1 Reply Last reply Reply Quote 0
      • S
        sebajm @sebajm
        last edited by

        @sebajm

        Errata: The Lan interface is em1: (em1: 172.16.2.1, VIP: 172.16.2.3).

        em2 it's the wan interface

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.