Traceroute across IPSec to remote router doesn't work, everything else does?
ZPrime last edited by
Remote end is a Palo Alto PA-2020 unit. My end is pfSense 1.2.3 Embedded.
This is from my LAN (host on the LAN, my MacBookPro)
Ping works -
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=63 time=49.536 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=63 time=49.489 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=63 time=49.092 ms
Ping to other hosts works:
PING 192.168.1.31 (192.168.1.31): 56 data bytes
64 bytes from 192.168.1.31: icmp_seq=0 ttl=126 time=48.840 ms
64 bytes from 192.168.1.31: icmp_seq=1 ttl=126 time=48.073 ms
Traceroute to the remote firewall IP fails:
traceroute to 192.168.1.1 (192.168.1.1), 64 hops max, 52 byte packets
1 pf (192.168.42.1) 11.053 ms 9.240 ms 10.000 ms
2 * * *
3 * * *
4 * * *
But here's where it's interesting - traceroute to a remote host (not the firewall/router) does work, but there's something weird happening:
traceroute to 192.168.1.31 (192.168.1.31), 64 hops max, 52 byte packets
1 pf (192.168.42.1) 5.802 ms 9.219 ms 9.900 ms
2 pf (192.168.42.1) 50.002 ms 49.870 ms 49.075 ms
3 192.168.1.31 (192.168.1.31) 49.912 ms 49.860 ms 49.795 ms
Please note line 2 in that trace - see how the times are higher, as though those responses are coming from the remote end of the tunnel… but it is showing my pf IP. ???
I'm at a loss as to why this is happening.
Also, from the remote side (also not on the firewall, for completeness):
Tracing route to 192.168.42.1 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms pan [192.168.1.1]
2 37 ms 40 ms 40 ms 192.168.42.1
No extra hop on the way back.
So, it's either something with how the Palo Alto unit handles the incoming VPN traffic, or there's something strange with the way it comes in from pfSense. I'm stumped.
Thankfully everything else seems to be working so it's not a life-ender, but I'm concerned that the traffic may be doing something it shouldn't and I'd like to correct it if possible.
Traceroute will always be weird over IPsec because IPsec isn't routed. Traffic is grabbed and basically shoved down the tunnel.
TerminalE last edited by
Can you post how your PA2020 is configured for the pfSense tunnel? I am trying to connect a PA2050 to a remote pfSense and keeping getting a timeout error.