Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Tunnel Static-Static no routing between sites

    Scheduled Pinned Locked Moved IPsec
    9 Posts 2 Posters 4.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nbviegas
      last edited by

      Hi All,

      I have been carefully reading all posts (and googling) and I hope I have not missed the ONE answer to my problem. I think this issue is recurrent but I have not seen any answer that would solve it.

      I am using 1.0.1.snapshot 2007-03.27 on both pfsenses. I have set a site-site IPsec tunnel (static IP on both) and it is up and running. The issue is I have no routing from pfsense A to pfsense B or vice-versa.

      In the routing table there is no Remote LAN address shown. Should I create a static routing? Is it a version bug? which gateway should I chose? and Interface?

      Regards,
      nbviegas

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        IPsec doesn't add static routes. Under Diagnostics -> IPsec, do you have anything in the SAD?

        1 Reply Last reply Reply Quote 0
        • N
          nbviegas
          last edited by

          Hi cmb,

          Yes, currently I have the 2 entries:

          pfsense A
          Source                Destination        Protocol  SPI      Enc. alg. Auth. alg.
          10.0.0.1              <pfsense b="" pub="" ip="">ESP      x        12        hmac-md5 
          <pfsense b="" pub="" ip="">10.0.0.1              ESP      x        12        hmac-md5

          pfsense B
          Source                Destination        Protocol SPI      Enc. alg. Auth. alg.
          10.10.10.5            <pfsense a="" pub="" ip="">    ESP      x    12        hmac-md5 
          <pfsense a="" pub="" ip="">10.10.10.5              ESP      x    12        hmac-md5

          I don't know if it has any relevance to the issue both pfsenses are connected to ADSL router via ethernet and 10.0.0.1 and 10.10.10.5 are the pfsense ip addess of the interface connected to the ADSL router.

          Thanks in advance,
          nbviegas</pfsense></pfsense></pfsense></pfsense>

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            what are the subnets and subnet masks of the LAN and WAN IP's on both sides?

            1 Reply Last reply Reply Quote 0
            • N
              nbviegas
              last edited by

              Hi cmb,

              Thanks for your help. I have the following network architecture:

              LAN                            <          Pfsense A        >                <        ADSL          >
              10.20.235.0/24 –-- < 10.20.235.253/24-10.10.10.5/24> -- <10.10.10.1/24-Pub Static IP>....

              <          ADSL        >              <      pfsense B          >                  LAN
              ..... <pub 24="" static="" ip-10.0.0.138="">--<10.0.0.1/24-192.168.16.253/24>----- 192.168.16.0/24

              It is quite simple.
              Cheers,
              nbviegas</pub>

              1 Reply Last reply Reply Quote 0
              • N
                nbviegas
                last edited by

                Hi All,

                Another Information that can be helpfull:

                1. Under System Logs -> IPSec I can see :

                May 28 19:28:06 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.10.10.5[0]->Public IP Address[0] spi=212041162(0xca37dca)
                May 28 19:28:06 racoon: INFO: IPsec-SA established: ESP/Tunnel Public Ip Address[0]->10.10.10.5[0] spi=76543909(0x48ff7a5)

                2. Under System Logs -> Firewall ( as I setup the IPSEC Rule to log traffic) I can see the Pinging traffic:

                May 28 19:36:13 ENC0 10.20.235.253 192.168.16.199 ICMP
                  May 28 19:36:11 ENC0 10.20.235.253 192.168.16.199 ICMP

                Thanks in advance,
                nbviegas

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by

                  All looks fine, subnets aren't overlapping, traffic is passing through, so it looks like it's making it to the other side.

                  At this point, I'm about 99% certain your pfsense config is fine. Time to start looking for network issues.

                  Is the default gateway of every system involved pfsense?

                  Make sure your subnet masks are /24 everywhere. If you're trying to use 10.x IP machines with a /8 subnet mask you're going to have problems.

                  Last, it looks like your WAN IP's are private? Is there any way you can try with public IP's on your pfsense WAN interfaces? It could be that whatever device is doing the NAT is causing problems, though I wouldn't think you would get SA's if that were the case.

                  1 Reply Last reply Reply Quote 0
                  • N
                    nbviegas
                    last edited by

                    Hi cmb,

                    I have double-checked all netmasks and all shows up as /24  :D

                    My issue is basically routing then. Wierdly, when I go to "Diagnostics: Routing Tables" I have nothing saying that 192.168.16.0/24 (on pfsense A) should go throuh interface ENC0 (IPSec to pfsense B). As per the default gw of pfsense I have - default 10.0.0.138 UGS 0 682017 1500 fxp0  - which is the IP Address of the ADSL Router.

                    Is there any issue with this setup?

                    What do you mean by " Is the default gateway of every system involved pfsense?" . From what I get the existing DHCP server gives the default gw as the pfsense LAN IP address.

                    Cheers,
                    nbviegas

                    1 Reply Last reply Reply Quote 0
                    • C
                      cmb
                      last edited by

                      @nbviegas:

                      My issue is basically routing then. Wierdly, when I go to "Diagnostics: Routing Tables" I have nothing saying that 192.168.16.0/24 (on pfsense A) should go throuh interface ENC0 (IPSec to pfsense B). As per the default gw of pfsense I have - default 10.0.0.138 UGS 0 682017 1500 fxp0  - which is the IP Address of the ADSL Router.

                      Is there any issue with this setup?

                      It's not routing. As I said before, there is no routing involved with IPsec, as far as the routing table is concerned. It's the SPD that encapsulates matching traffic and sends it to the destination.

                      @nbviegas:

                      What do you mean by " Is the default gateway of every system involved pfsense?" . From what I get the existing DHCP server gives the default gw as the pfsense LAN IP address.

                      If you're using pfsense for DHCP for everything and don't have anything statically addressed then you don't have to worry about what the gateways are set to.

                      Since the traffic is getting logged at the source end, what about at the destination end if you enable logging there?

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.