Is pfSense capable of send data over its own IPSec links?
I was wondering if pfSense is capable of sending data over an IPSec link it hosts itself. For example:
Host A <–- LAN ---> pfSense A <--- IPSEC --> pfSense B <--- LAN ---> Host B
When I do a trace route from host A to host B over the IPSec link hosted by both pfSense A and pfSense B, I notice that the pfSense B side is never replying, though it does pass the packets on to and back from host B. Also when I log onto pfSense and from the console try to reach the other side of the IPSec link, I don't get any replies. As far as I can see it is not a firewall rule blocking this traffic.
So I was wondering, is it possible to allow pfSense A and pfSense B to communicate with each other directly over the IPSec link they both host?
It can, it just needs a nudge.
thanks for your reply! I gave it a try and now I can indeed ping from pfSense A to pfSense B. What still doesn't work is when I do a traceroute from host A to host B, that pfSense B replies to the ICMP packets involved in the traceroute. Perhaps this is due to something else. Got a clue?
Traceroute will never work correctly through IPsec. It's just a side effect of how IPsec works in the FreeBSD kernel.
Pitty. At least now I know I can stop looking for a solution for it :) Thanks!