4. Something not quite right about IPsec…

Something not quite right about IPsec…

  • T

    Here is the setup:

    192.168.102.0/24 <-> Pfsense1 (84.83.82.81) <-> INET <-> (20.21.22.23) Pfsense2 <-> 192.168.1.0/24

    I have setup the IPsec tunnels on both ends, IPsec status shows the appropriate entries as expected.
    Pfsense1 can ping the 192.168.1.0/24 network from its LAN interface.
    Pfsense2 can ping the 192.168.102.0/24 network from its LAN interface.

    This suggests that the tunnel is established, up and running. However, when hosts on the 192.168.1.0/24 network try and ping hosts on the 192.168.102.0/24 network the ping times out.

    When I try a traceroute from the 192.168.1.0/24 network, traffic leaves the WAN interface of Pfsense2 and starts hitting ISP routers to a certain point before timing out / getting blocked. Surely traffic destined for that network should be encrypted and therefore we should only see one hop before getting to the 192.168.102.0/24 network (pfsense2 LAN address).

    Any input would be greatly appreciated.

    Thanks

    0
  • H

    Are you using multiwan/loadbalancing? If yes you need some rules on top of your multiwanrules to exclude the ipsec destination subnets from the loadbalancing.

    0
  • T

    We are making use of multi-wan. That fixed my problem. Thanks :)

    0
  • H

    Good guess  ;D

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy