Site to Site Trace Route



  • I've set up a test network using two pfSense boxes with the following topology:

    10.0.0.0/24 pfsense 1 >–--192.168.1.0/24----< pfsense 2 10.0.1.0/24

    I am using a site to site IPSec VPN to connect both subnets.

    when I perform a tracert from a host in either subnet to the host in the opposite subnet the second hop always times out:

    Tracing route to 10.0.1.101 over a maximum of 30 hops
    
      1    <1 ms    <1 ms    <1 ms  10.0.0.1
      2     *        *        *     Request timed out.
      3     1 ms    <1 ms     1 ms  10.0.1.101
    
    Trace complete.
    

    I'd like to be able to see what the hop is. I've tried setting allow all rules on the WAN and IPSec interfaces to no avail. Is there anyway to get it to stop timing out?



  • In that case you will need to have a P2 entry for 192.168.1.0/24

    At the moment there is no rule to route the ICMP replies from this network.  The VPN simply 'moves' the packets from one network to the other using magic and misdirection!



  • There is no hop in between that can reply with the TTL expired, the tunnel itself has no IPs and isn't routing. What you're seeing is just how IPsec functions. The inner traffic like a traceroute cannot have any concept of where the outer traffic is going.



  • Ok thanks for the info.


Locked