Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    All networks reachable over IPsec except one

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 2 Posters 357 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by

      Hello all,

      Got an issue where I am static routing to multiple destinations over a IPsec VPN. All networks except one is reachable.
      I cant ping the firewall IP , the firewall CARP IP but all other interfaces on the firewall are reachable.

      The problem in question is 10.1.10.0/24
      My firewall has the static route. nexthop is the IPsec gateway on the far side.

      21229798-ec81-468b-bb62-2994f938c424-image.png

      I have a constant ping going and its shown in my firewall logs

      044f767f-83d5-430e-bc99-f0ba5b9b0caf-image.png

      The problem is.....Its not showing up on the pfsense on the other side of the tunnel

      7c9a0b22-698a-46ad-9c29-b686e97c837f-image.png

      By all accounts this should be routed over the tunnel like the other networks which are reachable but for some reason this network isn't reachable.

      Any ideas?

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Can you ping other CARP VIPs on the remote firewall?

        M 1 Reply Last reply Reply Quote 0
        • M
          michmoor LAYER 8 Rebel Alliance @stephenw10
          last edited by

          @stephenw10
          Yep I sure can !

          0fe8401b-045f-4425-b2b1-b7ce526ff38e-image.png

          As shown i cant ping the LAN but can ping the others

          338e69b5-1710-4ed4-a1ca-afac69fa0124-image.png

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Can you ping anything else in the 10.1.10.0/24 subnet?

            Check the state table when pinging. Is it actually opening states correctly at the local end?

            Ultimately run some pcaps to see where those pings are actually going.

            M 1 Reply Last reply Reply Quote 0
            • M
              michmoor LAYER 8 Rebel Alliance @stephenw10
              last edited by

              @stephenw10
              I cannot ping a host on that network - 10.1.10.59

              I have an extended ping going on. State is present

              2edffeda-1b14-48d0-a4ac-9bddb7cba19c-image.png

              Traceroute dies on my firewall which i suspect is the problem (i dont see any logs on the remote side showing my ping attempts)

              dce225ce-c983-4fac-bf47-74e182a6db6c-image.png

              As i metioned, i do have static routes in place but i cant figure out why the firewall is not forwarding the traffic.

              Firewall: NetGate,Palo Alto-VM,Juniper SRX
              Routing: Juniper, Arista, Cisco
              Switching: Juniper, Arista, Cisco
              Wireless: Unifi, Aruba IAP
              JNCIP,CCNP Enterprise

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                What interface(s) does it show that state on in the state table?

                M 1 Reply Last reply Reply Quote 0
                • M
                  michmoor LAYER 8 Rebel Alliance @stephenw10
                  last edited by michmoor

                  @stephenw10

                  Thisis what i see in the state table. It is correct in that its coming in on the right interface.

                  f61cebef-f58a-4014-938f-8ef30bc90fad-image.png

                  There are no route conflicts

                  3c553dee-bee7-4208-8644-2a014adde618-image.png

                  edit: Ok this is worrisome. I performed a pcap on the IPsec interface and nothing..

                  126fe792-5dad-45d6-ba45-bb8644f5be71-image.png

                  Firewall: NetGate,Palo Alto-VM,Juniper SRX
                  Routing: Juniper, Arista, Cisco
                  Switching: Juniper, Arista, Cisco
                  Wireless: Unifi, Aruba IAP
                  JNCIP,CCNP Enterprise

                  M 1 Reply Last reply Reply Quote 0
                  • M
                    michmoor LAYER 8 Rebel Alliance @michmoor
                    last edited by

                    @stephenw10
                    Additoinal state information. I telnet to the CARP on port 443

                    25525c52-403c-4126-bc9b-b406bd247200-image.png

                    But i see no state or anything in the firewall logs on the remote side.
                    So its for sure (i feel) failing on my firewall but i dont know why.

                    Firewall: NetGate,Palo Alto-VM,Juniper SRX
                    Routing: Juniper, Arista, Cisco
                    Switching: Juniper, Arista, Cisco
                    Wireless: Unifi, Aruba IAP
                    JNCIP,CCNP Enterprise

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      Ok, so it comes in and never leaves.

                      That implies either there is no route for it or it's somehow blocked. Clearly there is a route.

                      Other things that might appear like that are:

                      Captive Portal running, though that would prevent the inbound state.

                      Blocked by Snort/Suricata.

                      Blocked by pfBlocker with logging disabled.

                      Conflicting policy based IPSec tunnel.

                      Policy routing on the rule via a gateway that is down perhaps?

                      M 1 Reply Last reply Reply Quote 0
                      • M
                        michmoor LAYER 8 Rebel Alliance @stephenw10
                        last edited by

                        @stephenw10

                        From the cli of the firewall , pings work.

                        /root: ping 10.1.10.254
                        PING 10.1.10.254 (10.1.10.254): 56 data bytes
                        64 bytes from 10.1.10.254: icmp_seq=0 ttl=64 time=236.302 ms
                        64 bytes from 10.1.10.254: icmp_seq=1 ttl=64 time=236.178 ms
                        64 bytes from 10.1.10.254: icmp_seq=2 ttl=64 time=236.265 ms
                        64 bytes from 10.1.10.254: icmp_seq=3 ttl=64 time=236.193 ms
                        
                        

                        I agree there is something blocking

                        Captive Portal running, though that would prevent the inbound state.

                        • CP is not running on my system
                          Blocked by Snort/Suricata.
                        • Neither of these packages are running
                          Blocked by pfBlocker with logging disabled.
                        • I don't see it in my pfblocker Alerts/Unified tab but this is possible. I can try disabling although I read somewhere that pfBlocker makes a point to scrape through any list and remove RFC1918

                        Conflicting policy based IPSec tunnel.

                        • All my IPsec tunnels are Route Based not using Tunnel

                        Policy routing on the rule via a gateway that is down perhaps?

                        • Not utilizing PBR

                        Firewall: NetGate,Palo Alto-VM,Juniper SRX
                        Routing: Juniper, Arista, Cisco
                        Switching: Juniper, Arista, Cisco
                        Wireless: Unifi, Aruba IAP
                        JNCIP,CCNP Enterprise

                        M 1 Reply Last reply Reply Quote 0
                        • M
                          michmoor LAYER 8 Rebel Alliance @michmoor
                          last edited by

                          @stephenw10

                          I think...i might be on to something.

                          Status > IPsec > SPDs

                          Check out the 10.1.10.0/24 network. Why does that say Tunnel mode while the other s say VTI ?

                          2291960d-2044-4de6-b1c5-f732c08d0560-image.png

                          This IPsec tunnel is VTI. Thats why other networks i can reach on this IPsec...Hmmmmm

                          Firewall: NetGate,Palo Alto-VM,Juniper SRX
                          Routing: Juniper, Arista, Cisco
                          Switching: Juniper, Arista, Cisco
                          Wireless: Unifi, Aruba IAP
                          JNCIP,CCNP Enterprise

                          M 1 Reply Last reply Reply Quote 0
                          • M
                            michmoor LAYER 8 Rebel Alliance @michmoor
                            last edited by

                            @stephenw10

                            Solved it!!

                            I restarted the IPsec dameon (via the GUI)
                            Cleared it uup right away as it probably had to rebuild the configuration on start up (is my guess)

                            Super weird...Why was that the only network set up for Tunnel? Worse i had to restart the dameon.

                            Firewall: NetGate,Palo Alto-VM,Juniper SRX
                            Routing: Juniper, Arista, Cisco
                            Switching: Juniper, Arista, Cisco
                            Wireless: Unifi, Aruba IAP
                            JNCIP,CCNP Enterprise

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S
                              stephenw10 Netgate Administrator
                              last edited by

                              Aha, nice!

                              Yup IPSec in policy mode can grab traffic and make it disappear like that.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.