Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC Tunnel traffic only works one way

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 376 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      buzzg
      last edited by

      I have an IPSEC tunnel that connects pfSense+ to a Watchguard. From the private network behind the psSense+, I can ping, do a tracert, and do an RDP session.

      Ping, trace route and RDP fails from the Private network behind the Watchguard.

      Currently, I have the pfSense+ under Firewall/Rules/IPSEC - I have an entry for Private pfSense+ Source 172.16.x.x to Private Watchguard Destination 10.0.25.x. And for Kicks and giggles, I did the Opposite source 10.0.25.x to destination 172.16.x.x.

      I do not have access to Watchguard as it is a third party and all I can to is advise. I believe the issue is on the Watchguard end, but I want to be sure by getting input from the community.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @buzzg
        last edited by

        @buzzg
        On the IPSec rule tab you need only to allow incoming traffic from the remote site, not outbound.
        Rules for outgoing from your site must be created on the LAN or whichever the incoming interface is from the point of pfSense.

        The only other thing you have to configure properly on your site is the phase 2. But if this was wrong, normally the remote site would refuse the connection, and you were as well not able to access the remote.

        So I also suspect, that the remote firewall doesn't allow access to your site.

        To investigate, you can sniff the traffic on the IPSec interface using the Packet Capture tool, while someone on the remote LAN tries to access your LAN device.

        B 1 Reply Last reply Reply Quote 0
        • B
          buzzg @viragomann
          last edited by

          @viragomann Thanks! Your reply helped me understand the flow which I was trying to do from the IPSEC and WAN Rules.

          Kept the WAN Rules simple and fixed IPSEC Rules and added LAN rule.

          Works now! Thank you for a quick educational lesson!!

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.