Traceroute across IPSec to remote router doesn't work, everything else does?



  • Remote end is a Palo Alto PA-2020 unit.  My end is pfSense 1.2.3 Embedded.

    remote: 192.168.1.0/24
    local: 192.168.42.0/24

    This is from my LAN (host on the LAN, my MacBookPro)
    Ping works -
    PING 192.168.1.1 (192.168.1.1): 56 data bytes
    64 bytes from 192.168.1.1: icmp_seq=0 ttl=63 time=49.536 ms
    64 bytes from 192.168.1.1: icmp_seq=1 ttl=63 time=49.489 ms
    64 bytes from 192.168.1.1: icmp_seq=2 ttl=63 time=49.092 ms

    Ping to other hosts works:
    PING 192.168.1.31 (192.168.1.31): 56 data bytes
    64 bytes from 192.168.1.31: icmp_seq=0 ttl=126 time=48.840 ms
    64 bytes from 192.168.1.31: icmp_seq=1 ttl=126 time=48.073 ms

    Traceroute to the remote firewall IP fails:
    traceroute to 192.168.1.1 (192.168.1.1), 64 hops max, 52 byte packets
    1  pf (192.168.42.1)  11.053 ms  9.240 ms  10.000 ms
    2  * * *
    3  * * *
    4  * * *

    But here's where it's interesting - traceroute to a remote host (not the firewall/router) does work, but there's something weird happening:
    traceroute to 192.168.1.31 (192.168.1.31), 64 hops max, 52 byte packets
    1  pf (192.168.42.1)  5.802 ms  9.219 ms  9.900 ms
    2  pf (192.168.42.1)  50.002 ms  49.870 ms  49.075 ms
    3  192.168.1.31 (192.168.1.31)  49.912 ms  49.860 ms  49.795 ms

    Please note line 2 in that trace - see how the times are higher, as though those responses are coming from the remote end of the tunnel… but it is showing my pf IP.   ???

    I'm at a loss as to why this is happening.

    Also, from the remote side (also not on the firewall, for completeness):
    Tracing route to 192.168.42.1 over a maximum of 30 hops

    1    <1 ms    <1 ms    <1 ms  pan [192.168.1.1]
      2    37 ms    40 ms    40 ms  192.168.42.1

    Trace complete.

    No extra hop on the way back.

    So, it's either something with how the Palo Alto unit handles the incoming VPN traffic, or there's something strange with the way it comes in from pfSense.  I'm stumped.

    Thankfully everything else seems to be working so it's not a life-ender, but I'm concerned that the traffic may be doing something it shouldn't and I'd like to correct it if possible.


  • Rebel Alliance Developer Netgate

    Traceroute will always be weird over IPsec because IPsec isn't routed. Traffic is grabbed and basically shoved down the tunnel.



  • bradenmcg,

    Can you post how your PA2020 is configured for the pfSense tunnel?  I am trying to connect a PA2050 to a remote pfSense and keeping getting a timeout error.

    Thanks,
    Jeff


Log in to reply