Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Keep alive and Ping..

    IPsec
    3
    11
    4094
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      froussy last edited by

      Good day,

      I had a Juniper SSG140 connected to 9 sites with IPSEC.

      I just changed tonight to pfSence. All is up and running !  ;D

      I want to keep those tunnels alive.. So i founded the option in the Ipsec Phase 2 "Automatically ping host".  I want to put the remote gw there (192.168.2.1/3.1/4.1…) depending of the ipsec tunnel.

      But, from the pfsense console, I cant ping the remote subnet 192.168.2.x/3.x/4.x on each sites..  but from a PC on my lan, I can

      Any idea ? Is it a rule that I didnt make ?

      Thanks
      Frank

      1 Reply Last reply Reply Quote 0
      • F
        froussy last edited by

        I know it's been a long time :)

        But, i still need help :(

        I tried to add routing, but I cant seem to find the proper way to do it :(

        Any suggestion please ?

        Thanks

        1 Reply Last reply Reply Quote 0
        • B
          Bjørkum last edited by

          Can you clarify this a bit?

          It looks like the device you're trying to ping (192.168.2.1) is probably a router/pfSense?  Are you sure it's allowing incoming ICMP on the interface that receives the packet?  Does it have a return route?  Does the return path also permit ICMP?

          Can you be more precise about what you can / cannot ping?

          Can you not ping anything on the remote subnets from pfSense—or is it just certain hosts?

          My guess is that you need to add a rule somewhere to allow ICMP.

          Keep in mind:

          • pfSense blocks all traffic arriving at an interface (including the IPsec virtual interface) unless a rule explicitly permits it.

          • ICMP is its own protocol, it doesn't fall under TCP or UDP

          1 Reply Last reply Reply Quote 0
          • F
            froussy last edited by

            Good day,

            sure. There it is:

            1. See my rules, attached.

            My pfsense box have the IP 10.35.1.1. So my home network is 10.35.1.0/24
            192.168.x.x/24 and the 172.16.1.1/24 are my works place (one subnet by location). All of them have a Fortigate as they router.

            From any store, I can ping any machine on my home lan
            From my home, I can ping any machine on my stores lan (inbluding the IP of the remote routers (192.168.x.1)

            From my pfsense box, I can ping my home lan, but I can't ping any of my store lan

            Frank






            1 Reply Last reply Reply Quote 0
            • B
              Bjørkum last edited by

              Thanks, that makes more sense, and the rules certainly help!

              My bet is that the Fortigates are blocking ICMP.

              1 Reply Last reply Reply Quote 0
              • F
                froussy last edited by

                I dont think the fortigate block them because on my lan (10.35.1.x) I can ping any fortigte IP (192.168.x.1)

                1 Reply Last reply Reply Quote 0
                • B
                  Bjørkum last edited by

                  Have you tried changing the source interface when pinging from pfSense?

                  Maybe it's using a source IP that the remote Fortigates are blocking?

                  1 Reply Last reply Reply Quote 0
                  • F
                    froussy last edited by

                    there is no way to change the interface used for pinging in the keep alive

                    and no, the fortigate does not block the ip as it was working with my previous router

                    1 Reply Last reply Reply Quote 0
                    • B
                      Bjørkum last edited by

                      I'm sorry, I wasn't clear.  I know you cannot change the interface used by the keep alive, I was suggesting using the ping tool in Diagnostics –> Ping to see if you can determine which source IP is not working.  A protocol analyzer may also work (tcpdump from the command line, for example.)

                      1 Reply Last reply Reply Quote 0
                      • F
                        froussy last edited by

                        Dawm.. I finally got it..

                        I need to do that:
                        Create a gateway pointing to the Lan IP
                        Add a route using that gateway

                        Fiew.. it was not an easy one!

                        thanks

                        1 Reply Last reply Reply Quote 0
                        • luckman212
                          luckman212 LAYER 8 last edited by

                          Froussy
                          can you please show some screenshots of how you configured this?
                          I think I might be having a similar problem with my site-to-site vpn… thanks

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post