Cannot reach hosts across pfSense site to site ipsec tunnel
-
I am sure that this is something glaringly wrong with my setup as this should be the bread and butter for ipsec site to site tunnel.
I have two pfsense firewalls both directly connected to the internet with 1 unique NATed LAN subnet behind each. I have an IPSec tunnel between site 1 and site 2 and can successfully ping the opposite end of the tunnel from any device at either site. Both PFSense boxes are running 2.1RC2
I cannot however ping other devices on the other subnet other than the pfsense device. There are no errors in the logs, and the IPSEC status tabs show that things are up and happy, and in fact it shows data in the counters on the SAD tab.
Site 1 Phase 2 shows
Mode Local Subnet Remote Subnet P2 Protocol P2 Transforms P2 Auth Methods
tunnel LAN 192.168.2.0/24 ESP AES (auto) SHA1Site 2 phase 2 shows
Mode Local Subnet Remote Subnet P2 Protocol P2 Transforms P2 Auth Methods
tunnel LAN 192.168.0.0/24 ESP AES (auto) SHA1On both ends there is a route that points the remote subnet to the LAN IP which is the end of the ipsec tunnel.
Traceroute from one end to the other for pfsense shows:
Tracing route to 192.168.2.1 over a maximum of 30 hops1 1 ms 1 ms 1 ms 192.168.0.1
2 39 ms 39 ms 39 ms 192.168.2.1Trace complete.
to a host however it shows…
Tracing route to 192.168.2.251 over a maximum of 30 hops1 1 ms 1 ms 1 ms 192.168.0.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.Any thoughts on what to check to get this working properly
-
Did you allow the ICMP traffic on the VPN tunnel? I think I remember having to do that, in addition to allowing it on the "real" interfaces (inside/outside).
-
ICMP could also be blocked by the host firewall.
-
+1 here,
version 2.1 Tunnel UP
pFSense1 LAN 192.168.0.5/24
PFSense2 LAN 192.168.1.1/24Site 1 LAN subnet 192.168.0.0/24
Site 2 LAN subnet 192.168.1.0/24
Can ping pFSense LAN IP's on both sides but can't ping HOSTS,
didn't add any static routes though.Firewall -> Rules -> IPSec -> ANY
-
IPsec on FreeBSD is directly attached to the kernel, you don't need or have to add static routes.
Remember that once the tunnel is up, it behaves like any other interface, so you need to add rules to allow incoming traffic on each end.
-
And, if possible, openvpn would be a step up… Unless there is something that prevents it.