Can't reach host via ipsec tunnel



  • So, finally the tunnel is up now come's the next problem:
    We can't reach the host behind the tunnel.

    What I have is:
    1.2.3.80 = remote side
    1.2.3.95 = remote network (single host)
    6.7.8.210 = public ip on my pfsense.
    192.168.150.0/24 = my local network

    Tunnel is up - "green" + confirmed from remote side.
    Remote side could also see that I accidentally had NAT enabled first, so connection is there.
    However, we can't reach their host 1.2.3.95 from any server on 192.168.150.0/24.

    • We are supposed to connect on port 2222
    • Exactly same tunnel is active from another server not housed by us (we want to move the tunnel "in-house")
    • From that server I can do "telnet 1.2.3.95 2222" and get a connection.
    • Telnet from our servers I get "connection timeout".
    • "traceroute 1.2.3.95" from server or pfsense shows LAN ip then nothing (well, '*' all the way) so I guess traffic goes right way?
    • "netstat -r" on pfsense doesn't show any ipsec-related routes, also "ifconfig" shows no ipsec interface - but then I think on BSD this is ok?
    • Firewall rules allows everything out from LAN, any-to-any on IPSec Interface
    • Firewall rules doesn't show anything blocked for remote gateway or host.

    Any ideas?
    –-
    Edit: A little more info:
    Running tcpdump on LAN if on pfsense, I get repeatedly:
    17:40:35.830749 ARP, Request who-has1.2.3.95 tell 192.168.150.3, length 46



  • Seeing ARP requests for hosts that are off the local subnet means the host that's issuing that ARP request is misconfigured in some fashion. Wrong subnet mask, missing default gateway, broken routing table in some fashion, something along those lines.



  • Strangely enough, it was only a lifetime mismatch for phase 1.
    So finally we're connected, all is fine!


Log in to reply