Something not quite right about IPsec…
Here is the setup:
192.168.102.0/24 <-> Pfsense1 (220.127.116.11) <-> INET <-> (18.104.22.168) Pfsense2 <-> 192.168.1.0/24
I have setup the IPsec tunnels on both ends, IPsec status shows the appropriate entries as expected.
Pfsense1 can ping the 192.168.1.0/24 network from its LAN interface.
Pfsense2 can ping the 192.168.102.0/24 network from its LAN interface.
This suggests that the tunnel is established, up and running. However, when hosts on the 192.168.1.0/24 network try and ping hosts on the 192.168.102.0/24 network the ping times out.
When I try a traceroute from the 192.168.1.0/24 network, traffic leaves the WAN interface of Pfsense2 and starts hitting ISP routers to a certain point before timing out / getting blocked. Surely traffic destined for that network should be encrypted and therefore we should only see one hop before getting to the 192.168.102.0/24 network (pfsense2 LAN address).
Any input would be greatly appreciated.
Are you using multiwan/loadbalancing? If yes you need some rules on top of your multiwanrules to exclude the ipsec destination subnets from the loadbalancing.
We are making use of multi-wan. That fixed my problem. Thanks :)
Good guess ;D