Something not quite right about IPsec…



  • Here is the setup:

    192.168.102.0/24 <-> Pfsense1 (84.83.82.81) <-> INET <-> (20.21.22.23) Pfsense2 <-> 192.168.1.0/24

    I have setup the IPsec tunnels on both ends, IPsec status shows the appropriate entries as expected.
    Pfsense1 can ping the 192.168.1.0/24 network from its LAN interface.
    Pfsense2 can ping the 192.168.102.0/24 network from its LAN interface.

    This suggests that the tunnel is established, up and running. However, when hosts on the 192.168.1.0/24 network try and ping hosts on the 192.168.102.0/24 network the ping times out.

    When I try a traceroute from the 192.168.1.0/24 network, traffic leaves the WAN interface of Pfsense2 and starts hitting ISP routers to a certain point before timing out / getting blocked. Surely traffic destined for that network should be encrypted and therefore we should only see one hop before getting to the 192.168.102.0/24 network (pfsense2 LAN address).

    Any input would be greatly appreciated.

    Thanks



  • Are you using multiwan/loadbalancing? If yes you need some rules on top of your multiwanrules to exclude the ipsec destination subnets from the loadbalancing.



  • We are making use of multi-wan. That fixed my problem. Thanks :)



  • Good guess  ;D


Log in to reply