Something not quite right about IPsec…

  • Here is the setup: <-> Pfsense1 ( <-> INET <-> ( Pfsense2 <->

    I have setup the IPsec tunnels on both ends, IPsec status shows the appropriate entries as expected.
    Pfsense1 can ping the network from its LAN interface.
    Pfsense2 can ping the network from its LAN interface.

    This suggests that the tunnel is established, up and running. However, when hosts on the network try and ping hosts on the network the ping times out.

    When I try a traceroute from the network, traffic leaves the WAN interface of Pfsense2 and starts hitting ISP routers to a certain point before timing out / getting blocked. Surely traffic destined for that network should be encrypted and therefore we should only see one hop before getting to the network (pfsense2 LAN address).

    Any input would be greatly appreciated.


  • Are you using multiwan/loadbalancing? If yes you need some rules on top of your multiwanrules to exclude the ipsec destination subnets from the loadbalancing.

  • We are making use of multi-wan. That fixed my problem. Thanks :)

  • Good guess  ;D

Log in to reply