IPSec Site-to-Site - Green - but no traffic

  • I'm quite a noob with IPSec. I am trying to set up a site to site VPN. But I think I am missing something.

    The tunnel connects showing the green arrow but no traffic is going over the tunnel.

    I am using version 2.01

    This is my network topography

    Site A:
    Client PC
    pfSense LAN
    pfSense WAN 107.XX.XX.195 ( Static IP ) DG is 107.XX.XX.193
    Cablevision Router 107.XX.XX.193

    Site B:
    Comcast Modem/Router WAN 69.XX.XX.109
    Comcast Modem/Router LAN
    pfSense WAN DG is
    pfSense LAN
    Client PC ( No actual client connected yet)

    I don't know what to post from IPSec, but the tunnel connects, but the SAD tab shows no data.

    Phase 1 and Phase 2 seem to connect.

    I added Firewall rules under IPSEC Tab as follows:

    Proto: TCP
    Source *
    Port *
    Destination: LAN Net
    Port *
    Gateway *
    Queue none

    So, I dont know if there is something else I need to do. I try to ping from pfsense site B to client on site A and get nothing.

    Do I need to setup a Gateway and route?

    Completely frustrated, been working on this for  a week.

    Thanks in advance for help.

  • Sounds like the tunnel is connecting, but you forgot to add the allow rules in the firewall. There is an IPSEC or OpenVPN tab in the firewall rules where you need to add an allow rule. Needs to be rather open if for road warriors and can be closed to just remote subnets if it is a site to site.

  • If you are referring to the firewall rules under IPSec tab, I think that is what I listed at the bottom of the post.

  • Yes, your rule states TCP yet you are trying with a ping which is ICMP protocol. So the firewall is blocking it.
    To test, change the protocol from TCP to any and retest with ping, or add a rule for ICMP:any.

  • Ok, thanks for your help so far, still not able to ping, but I'm sure that rule was part of the problem.
    I set the protocol on both ends to any.

    There is a Firewall rule in the LAN tab, that I don't remember adding, could this be slurping traffic?

    Proto *
    Source LAN Net
    Port         *
    Destination  *
    Port         *
    Gateway    *

    I did pfTop via SSH on one host. This looks like the tunnel trying to work.

    From A
    PR  D SRC                          DEST                    GW                        STATE  AGE
    tcp  O  64.xx.xx.161:80      108.xx.xx.195:33403  4:4  43h

    Anyway, any other suggestions?

  • IT WORKS!, Thanks for your help Podilarius. After re-saving the Phase II entries something clicked, so I can now ping remote hosts. Which I of course would not have been able to without that rule change :)

Log in to reply