Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Traceroute across IPSec to remote router doesn't work, everything else does?

    IPsec
    3
    3
    5.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      ZPrime
      last edited by

      Remote end is a Palo Alto PA-2020 unit.  My end is pfSense 1.2.3 Embedded.

      remote: 192.168.1.0/24
      local: 192.168.42.0/24

      This is from my LAN (host on the LAN, my MacBookPro)
      Ping works -
      PING 192.168.1.1 (192.168.1.1): 56 data bytes
      64 bytes from 192.168.1.1: icmp_seq=0 ttl=63 time=49.536 ms
      64 bytes from 192.168.1.1: icmp_seq=1 ttl=63 time=49.489 ms
      64 bytes from 192.168.1.1: icmp_seq=2 ttl=63 time=49.092 ms

      Ping to other hosts works:
      PING 192.168.1.31 (192.168.1.31): 56 data bytes
      64 bytes from 192.168.1.31: icmp_seq=0 ttl=126 time=48.840 ms
      64 bytes from 192.168.1.31: icmp_seq=1 ttl=126 time=48.073 ms

      Traceroute to the remote firewall IP fails:
      traceroute to 192.168.1.1 (192.168.1.1), 64 hops max, 52 byte packets
      1  pf (192.168.42.1)  11.053 ms  9.240 ms  10.000 ms
      2  * * *
      3  * * *
      4  * * *

      But here's where it's interesting - traceroute to a remote host (not the firewall/router) does work, but there's something weird happening:
      traceroute to 192.168.1.31 (192.168.1.31), 64 hops max, 52 byte packets
      1  pf (192.168.42.1)  5.802 ms  9.219 ms  9.900 ms
      2  pf (192.168.42.1)  50.002 ms  49.870 ms  49.075 ms
      3  192.168.1.31 (192.168.1.31)  49.912 ms  49.860 ms  49.795 ms

      Please note line 2 in that trace - see how the times are higher, as though those responses are coming from the remote end of the tunnel… but it is showing my pf IP.   ???

      I'm at a loss as to why this is happening.

      Also, from the remote side (also not on the firewall, for completeness):
      Tracing route to 192.168.42.1 over a maximum of 30 hops

      1    <1 ms    <1 ms    <1 ms  pan [192.168.1.1]
        2    37 ms    40 ms    40 ms  192.168.42.1

      Trace complete.

      No extra hop on the way back.

      So, it's either something with how the Palo Alto unit handles the incoming VPN traffic, or there's something strange with the way it comes in from pfSense.  I'm stumped.

      Thankfully everything else seems to be working so it's not a life-ender, but I'm concerned that the traffic may be doing something it shouldn't and I'd like to correct it if possible.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Traceroute will always be weird over IPsec because IPsec isn't routed. Traffic is grabbed and basically shoved down the tunnel.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • T
          TerminalE
          last edited by

          bradenmcg,

          Can you post how your PA2020 is configured for the pfSense tunnel?  I am trying to connect a PA2050 to a remote pfSense and keeping getting a timeout error.

          Thanks,
          Jeff

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.