Tunnel IPsec working OK, cannot access remote host from local pfSense

sebajm

We have a pfSense firewall (Network: 172.16.0.0/20) connected to a FortiGate firewall (Network: 172.16.16.0/20) using IPsec.

We can access hosts on the 172.16.16.0/20 network from any host on the 172.16.0.0/20 network, except from the pfSense firewall itself (em2: 172.16.2.1, VIP: 172.16.2.3).

The pfSense firewall has its default gateway set to the WAN interface. When we capture the traffic, we observe that:

[2.3.3-RELEASE][root@xxxx]/root: tcpdump -n -i em2 icmp and dst 172.16.19.14
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em2, link-type EN10MB (Ethernet), capture size 65535 bytes
10:10:35.958694 IP wanip > 172.16.19.14: ICMP echo request, id 36519, seq 6, length 64
10:10:36.959840 IP wanip > 172.16.19.14: ICMP echo request, id 36519, seq 7, length 64
10:10:37.965529 IP wanip > 172.16.19.14: ICMP echo request, id 36519, seq 8, length 64

The traffic is being sent over the WAN interface.

We added a static route:

172.16.16.0/20	172.16.2.3	UGS	13332	1500	em1

However, now when we ping from any host in the 172.16.0.0/20 network, we encounter the following issue:

xxxxx:~$ ping 172.16.18.4
PING 172.16.18.4 (172.16.18.4) 56(84) bytes of data.
From 172.16.2.1 icmp_seq=1 Redirect Host(New nexthop: 172.16.18.4)
64 bytes from 172.16.18.4: icmp_seq=1 ttl=62 time=4.87 ms
From 172.16.2.1 icmp_seq=2 Redirect Host(New nexthop: 172.16.18.4)
64 bytes from 172.16.18.4: icmp_seq=2 ttl=62 time=5.04 ms
From 172.16.2.1 icmp_seq=3 Redirect Host(New nexthop: 172.16.18.4)
64 bytes from 172.16.18.4: icmp_seq=3 ttl=62 time=5.35 ms

Could you please assist us in resolving this issue?

Thanks!

sebajm

@sebajm

Errata: The Lan interface is em1: (em1: 172.16.2.1, VIP: 172.16.2.3).

em2 it's the wan interface