IPSEC Tunnel traffic only works one way
-
I have an IPSEC tunnel that connects pfSense+ to a Watchguard. From the private network behind the psSense+, I can ping, do a tracert, and do an RDP session.
Ping, trace route and RDP fails from the Private network behind the Watchguard.
Currently, I have the pfSense+ under Firewall/Rules/IPSEC - I have an entry for Private pfSense+ Source 172.16.x.x to Private Watchguard Destination 10.0.25.x. And for Kicks and giggles, I did the Opposite source 10.0.25.x to destination 172.16.x.x.
I do not have access to Watchguard as it is a third party and all I can to is advise. I believe the issue is on the Watchguard end, but I want to be sure by getting input from the community.
-
@buzzg
On the IPSec rule tab you need only to allow incoming traffic from the remote site, not outbound.
Rules for outgoing from your site must be created on the LAN or whichever the incoming interface is from the point of pfSense.The only other thing you have to configure properly on your site is the phase 2. But if this was wrong, normally the remote site would refuse the connection, and you were as well not able to access the remote.
So I also suspect, that the remote firewall doesn't allow access to your site.
To investigate, you can sniff the traffic on the IPSec interface using the Packet Capture tool, while someone on the remote LAN tries to access your LAN device.
-
@viragomann Thanks! Your reply helped me understand the flow which I was trying to do from the IPSEC and WAN Rules.
Kept the WAN Rules simple and fixed IPSEC Rules and added LAN rule.
Works now! Thank you for a quick educational lesson!!