Connectivity issue thru IPSEC Tunnel


  • Moderator

    I am having an issue with an Ubuntu Machine.

    A Network 10.10.1.0/24

    B Network 10.10.2.0/24

    C Network 10.10.3.0/24

    I have setup an Ipsec VPN tunnel from A - B, and A - C (all pfsense Boxes)

    I have an Ubuntu Server on A network. An ubuntu machine on B network.

    When I ping/ssh from the Ubuntu machine on B to A network, i am getting a Host Unreachable/Destination Host Unreachable
    The Ubuntu machine can resolve the host and Ip as is confirmed with a DIG -x command. The Ubuntu machine on B can ping the local pfsense router and anything local or internet based. But it cant ping anything on the A network including the A router. All other devices have no issue. Just this one ubuntu machine.

    I have no issue with connectivity between the A and C networks.

    If I run this command on the Ubuntu machine in B network

    sysctl -w net.ipv4.ip_forward=1

    I can ping/ssh from A <-> B.  The ubuntu machine has one NIC and two additional for a TAP monitoring system so they are set to

    eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
              inet addr:xx.xx.xx.xx  Bcast:xx.xx.xx.255  Mask:255.255.255.0
              inet6 addr: xxxx::xxx:xxxx:xxxx:xxxx/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:750659 errors:0 dropped:0 overruns:0 frame:0
              TX packets:460220 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:122675477 (122.6 MB)  TX bytes:409259079 (409.2 MB)
              Interrupt:19 Memory:f0180000-f01a0000

    eth1      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
              UP BROADCAST RUNNING NOARP PROMISC MULTICAST  MTU:1500  Metric:1
              RX packets:4857110 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:1017130172 (1.0 GB)  TX bytes:0 (0.0 B)
              Interrupt:16 Memory:f0280000-f02a0000

    eth2      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
              UP BROADCAST NOARP PROMISC MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
              Interrupt:16 Memory:f0300000-f0320000

    lo        Link encap:Local Loopback
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:554233 errors:0 dropped:0 overruns:0 frame:0
              TX packets:554233 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:783922279 (783.9 MB)  TX bytes:783922279 (783.9 MB)

    route -n

    Kernel IP routing table
    Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
    0.0.0.0        xx.xx.xx.xx      0.0.0.0        UG    100    0        0 eth0
    xx.xx.xx.0      0.0.0.0        255.255.255.0  U    0      0        0 eth0
    169.254.0.0    0.0.0.0        255.255.0.0    U    1000  0        0 eth0

    So when the "sysctl -w net.ipv4.ip_forward=1" ping and ssh works but the traceroute doesnt seem as expected.
    I dont understand how the machine is forwarding when only one NIC has an address?

    PING xx.xx.xx.xx (xx.xx.xx.xx) 56(84) bytes of data.

    From xx.xx.xx.xx: icmp_seq=1 Redirect Host(New nexthop: xx.xx.xx.xx)
    64 bytes from xx.xx.xx.xx: icmp_req=1 ttl=63 time=46.8 ms

    traceroute xx.xx.xx.xx  (Traceroute from SO Sensor to SO Server)

    traceroute to xx.xx.xx.xx (xx.xx.xx.xx), 30 hops max, 60 byte packets
    1  xx.xx.xx.xx (xx.xx.xx.xx)  0.545 ms  0.532 ms  0.519 ms
    2  * * *
    3  * * *
    4  * * *
    5  * * *
    6  * * *
    7  * * *
    8  * * *
    9  * * *
    10  * * *
    11  * * *
    12  * * *
    13  * * *
    14  * * *
    15  * * *
    16  * * *
    17  * * *
    18  * * *
    19  * * *
    20  * * *
    21  * * *
    22  * * *
    23  * * *
    24  * * *
    25  * * *
    26  * * *
    27  * * *
    28  * * *
    29  * * *
    30  * * *

    There are no Blocks in IPTables and UFW is set to allow the connectivity.
    If anyone has any suggestions, I would appreciate it as I've tried several things to fix this issue without success.


  • Moderator

    I have found that following these instructions

    https://doc.pfsense.org/index.php/Why_can't_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

    click System > Routing. On the Gateways, tab, click + and add a gateway using your LAN IP address (check the box to disable monitoring). Save/Apply,
            then go to the Static Routes tab, click +, enter the remote VPN network in the "Destination Network" box, select the LAN IP gateway that was created before, and add a description
            if you want, then Save/Apply.

    Once i removed the manual route, rebooted pfSense. My ubuntu machine was able to communicate thru the tunnel.

    Why this stopped working all of a sudden is a mystery.

    Also, I am directing the pfSense Syslogs thru the tunnel to a remote syslog server and since removing the manual route, it is not working.

    Any suggestions would be appreciated.


Log in to reply