IPsec tunnel established but hosts cannot ping each other

xAgamemnon · Mar 28, 2024, 11:30 AM

Hello everyone, I have a problem with a VPN connection using IPsec. For better illustration, I show below how I would like to connect two sites to each other. After the proper configuration as you can see from the PfSense screenshot everything seems to be fine. The connection is established, but if I want to ping from host 192.168.69.2 to host 192.168.138.4 it is impossible, I get no response. Could someone please help me to solve this problem?

michmoor · Mar 28, 2024, 11:44 AM

@xAgamemnon
Is there a phase 2 entry?
Are there firewall rules permitting hosts to ping?
Are there logs to show?

xAgamemnon · Mar 28, 2024, 12:17 PM

@michmoor I will provide you some screenshot for this. Below it is another screen of IPsec established because my WAN changed on both sides:

Here is the answer for your first question:
Here is the answer for your second question:
Here is the answer for your third question:

xAgamemnon · Mar 28, 2024, 12:27 PM

@xAgamemnon Yes i know there is a mismatch in Phase 2 remote network i changed it to 192.168.138.0 but it also doesn't work

michmoor · Mar 28, 2024, 12:39 PM

@xAgamemnon
I didn’t mean a screenshot of logs but the actual IPsec logs maybe from console or ssh you can grab it
Secondly I don’t see any firewall rules. There should be a firewall rule on the IPsec interface I believer. What do the firewall logs show? Any drops?

xAgamemnon · Mar 28, 2024, 12:38 PM

I changed once again to options shown below:

Now I can ping the WAN and Gateway but host cannot see each other:

xAgamemnon · Mar 28, 2024, 1:51 PM

@michmoor Here are the logs:
Logs IPSEC Site A.txt
Log IPSEC site B.txt
Here are the rules on IPSEC:

viragomann · Mar 28, 2024, 1:51 PM

@xAgamemnon
Do both host use the pfSense in in their LAN as default gateway?

Do the hosts themself allow access from outside of their local network?
Maybe disable their firewalls and reboot them then.

xAgamemnon · Mar 28, 2024, 2:05 PM

@viragomann yes both host use pfsense as default gateway and everything is allowed in firewall as i shown above

viragomann · Mar 28, 2024, 2:07 PM

@xAgamemnon
I was talking about the firewalls on the host behind pfSense.

xAgamemnon · Mar 28, 2024, 2:19 PM

@viragomann That's what I've figured out, after disabling the microsoft defender firewall I can ping between sites without any problem now I just need to add a rule so that this network traffic is allowed. Thanks a lot for help, I don't know why I haven't come across this before

viragomann · Mar 28, 2024, 2:30 PM

@xAgamemnon
The Windows firewall allows basic access like pings from within the local subnet by default, but not from outside.
So access normally works as long as it doesn't pass a router.

fcostars · Apr 1, 2024, 9:11 PM

@xAgamemnon
Estou com o mesmo problema, eu configurei dois pfsenses um matriz e outro filial, mas eu só consigo pingar o pfsense do outro lado e mais nada!
dentro da mesma rede pinga normal, mas tanto da matriz como da filial eu nao consigo pingar nenhum micro a não ser o pfsense do outro lado.

nas configurações de firewall esta tudo liberado entre os tuneis...

alguém tem alguma ideia?

fcostars · Apr 2, 2024, 11:28 AM

@fcostars Resolvido!
Estava clonando configuração ipsec para não digitar tudo novamente e dessa forma o firewall se perde!

Segue a dica! Nunca clone uma regra e sim reescreva novamente!