• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Traceroute across IPSec to remote router doesn't work, everything else does?

Scheduled Pinned Locked Moved IPsec
3 Posts 3 Posters 5.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Z
    ZPrime
    last edited by Jan 11, 2011, 8:02 AM

    Remote end is a Palo Alto PA-2020 unit.  My end is pfSense 1.2.3 Embedded.

    remote: 192.168.1.0/24
    local: 192.168.42.0/24

    This is from my LAN (host on the LAN, my MacBookPro)
    Ping works -
    PING 192.168.1.1 (192.168.1.1): 56 data bytes
    64 bytes from 192.168.1.1: icmp_seq=0 ttl=63 time=49.536 ms
    64 bytes from 192.168.1.1: icmp_seq=1 ttl=63 time=49.489 ms
    64 bytes from 192.168.1.1: icmp_seq=2 ttl=63 time=49.092 ms

    Ping to other hosts works:
    PING 192.168.1.31 (192.168.1.31): 56 data bytes
    64 bytes from 192.168.1.31: icmp_seq=0 ttl=126 time=48.840 ms
    64 bytes from 192.168.1.31: icmp_seq=1 ttl=126 time=48.073 ms

    Traceroute to the remote firewall IP fails:
    traceroute to 192.168.1.1 (192.168.1.1), 64 hops max, 52 byte packets
    1  pf (192.168.42.1)  11.053 ms  9.240 ms  10.000 ms
    2  * * *
    3  * * *
    4  * * *

    But here's where it's interesting - traceroute to a remote host (not the firewall/router) does work, but there's something weird happening:
    traceroute to 192.168.1.31 (192.168.1.31), 64 hops max, 52 byte packets
    1  pf (192.168.42.1)  5.802 ms  9.219 ms  9.900 ms
    2  pf (192.168.42.1)  50.002 ms  49.870 ms  49.075 ms
    3  192.168.1.31 (192.168.1.31)  49.912 ms  49.860 ms  49.795 ms

    Please note line 2 in that trace - see how the times are higher, as though those responses are coming from the remote end of the tunnel… but it is showing my pf IP.   ???

    I'm at a loss as to why this is happening.

    Also, from the remote side (also not on the firewall, for completeness):
    Tracing route to 192.168.42.1 over a maximum of 30 hops

    1    <1 ms    <1 ms    <1 ms  pan [192.168.1.1]
      2    37 ms    40 ms    40 ms  192.168.42.1

    Trace complete.

    No extra hop on the way back.

    So, it's either something with how the Palo Alto unit handles the incoming VPN traffic, or there's something strange with the way it comes in from pfSense.  I'm stumped.

    Thankfully everything else seems to be working so it's not a life-ender, but I'm concerned that the traffic may be doing something it shouldn't and I'd like to correct it if possible.

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Jan 12, 2011, 3:30 PM

      Traceroute will always be weird over IPsec because IPsec isn't routed. Traffic is grabbed and basically shoved down the tunnel.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • T
        TerminalE
        last edited by Feb 23, 2011, 2:08 AM

        bradenmcg,

        Can you post how your PA2020 is configured for the pfSense tunnel?  I am trying to connect a PA2050 to a remote pfSense and keeping getting a timeout error.

        Thanks,
        Jeff

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          [[user:consent.lead]]
          [[user:consent.not_received]]