Routing between 1 IPSEC vpn and another

  • I understand from the changelog that multiple stage2s are supported for a single stage1 now.

    I have a site to site vpn up between and

    I have a roadwarrior vpn working with clients having addresses.

    I want to route between clients and the network.

    when pinging from a i can see the packets with tcpdump -i enc0 host .10:37:37.076219 (authentic,confidential): SPI 0x05878eb3: IP > ICMP echo request, id 4894, seq 6, length 64

    but i never see any replies.  can ping and vice versa, but the firewall cannot ping the any remote networks directly.  Is this expected to work?

  • Does your network know about how to reach ? Do you have a p2 for that?

    By default the firewall itself can't directly access any ipsec remote network, but routing does work from the lan side.

  • mxx:

    thanks for your reply…

    yes i have 2 p2s on the firewall (also pfsense 2.0rc1)
    one for and one for

    however, the 4.0/24 is listed with a yellow check box in the ipsec status page, while the first (3.0/24) is green.
    I don't understand how one can fail and the other succeed.

  • Hi since noone else with more knowledge replied:

    Sorry for the dumb question but do both endpoints have this second p2?
    Is the Roadwarrior VPN also ipsec?
    If yes and it doesn't work, try adding a gateway (pfsense's lan ip) and add routes for those ipsec networks through the lan ip. That way it should be possible for the firewall to reach the other endpoint directly…

Log in to reply