1.2.3 RC3 - Site to Site - NAT-T appears to work! but only pings one way

  • I've just set up a draytek router an ipsec site to site to a pfsense box - the draytek is behind nat.

    The tunnel establishes itself instantly every time, and from the "remote" draytek I am able to ping everything on the lan of the pfsense. However it doesn't work the other way round.

    My inital thought was firewall on the draytek, but apart from the tweak to get it to authenticate to the pfsense as a mobile user, it's the exact same is the other 10 or so drayteks I have out in the field which are working without issue.

    My next thought was that when creating this vpn on pfsense, at no point did I specify the remote subnet. I'm wondering if this means pfsense isn't certain how to route packets destined for the remote subnet and sends them out on wan instead?

    After reading around on here I found someone who suggested I may need to create a static rule (Interface: lan,     Destination : remote lan subnet/24,     Gateway: tried both pfsense lan ip and Already had a firewall rule to pass all for ipsec.

    However my traceroutes from the pfsense lan to remote lan still don't get any further than my pfsense box.

    I'm also a little confused as I thought NAT-T was removed from 1.2.3 after RC1?

    Is there any way to be able to ping/access machines both ways?

    Also is this normal behaviour or is this a glitch in RC3?

    Edit: a little more info - the pfsense box has 1 x wan interface plugged straight into our fibre service and 1 x LAN on the office LAN.

    The pfsense box isn't default gateway for pc's on it's lan, although relevant static routes have been set, and I have one test pc with pfsense set as default gateway which makes no difference. (The box is only there for vpn, hence not using this as default gateway for most pc's).

  • Ok, just tried it with a 1.2.3 Release box and I get the same story!