Keep alive and Ping..



  • Good day,

    I had a Juniper SSG140 connected to 9 sites with IPSEC.

    I just changed tonight to pfSence. All is up and running !  ;D

    I want to keep those tunnels alive.. So i founded the option in the Ipsec Phase 2 "Automatically ping host".  I want to put the remote gw there (192.168.2.1/3.1/4.1…) depending of the ipsec tunnel.

    But, from the pfsense console, I cant ping the remote subnet 192.168.2.x/3.x/4.x on each sites..  but from a PC on my lan, I can

    Any idea ? Is it a rule that I didnt make ?

    Thanks
    Frank



  • I know it's been a long time :)

    But, i still need help :(

    I tried to add routing, but I cant seem to find the proper way to do it :(

    Any suggestion please ?

    Thanks



  • Can you clarify this a bit?

    It looks like the device you're trying to ping (192.168.2.1) is probably a router/pfSense?  Are you sure it's allowing incoming ICMP on the interface that receives the packet?  Does it have a return route?  Does the return path also permit ICMP?

    Can you be more precise about what you can / cannot ping?

    Can you not ping anything on the remote subnets from pfSense—or is it just certain hosts?

    My guess is that you need to add a rule somewhere to allow ICMP.

    Keep in mind:

    • pfSense blocks all traffic arriving at an interface (including the IPsec virtual interface) unless a rule explicitly permits it.

    • ICMP is its own protocol, it doesn't fall under TCP or UDP



  • Good day,

    sure. There it is:

    1. See my rules, attached.

    My pfsense box have the IP 10.35.1.1. So my home network is 10.35.1.0/24
    192.168.x.x/24 and the 172.16.1.1/24 are my works place (one subnet by location). All of them have a Fortigate as they router.

    From any store, I can ping any machine on my home lan
    From my home, I can ping any machine on my stores lan (inbluding the IP of the remote routers (192.168.x.1)

    From my pfsense box, I can ping my home lan, but I can't ping any of my store lan

    Frank








  • Thanks, that makes more sense, and the rules certainly help!

    My bet is that the Fortigates are blocking ICMP.



  • I dont think the fortigate block them because on my lan (10.35.1.x) I can ping any fortigte IP (192.168.x.1)



  • Have you tried changing the source interface when pinging from pfSense?

    Maybe it's using a source IP that the remote Fortigates are blocking?



  • there is no way to change the interface used for pinging in the keep alive

    and no, the fortigate does not block the ip as it was working with my previous router



  • I'm sorry, I wasn't clear.  I know you cannot change the interface used by the keep alive, I was suggesting using the ping tool in Diagnostics –> Ping to see if you can determine which source IP is not working.  A protocol analyzer may also work (tcpdump from the command line, for example.)



  • Dawm.. I finally got it..

    I need to do that:
    Create a gateway pointing to the Lan IP
    Add a route using that gateway

    Fiew.. it was not an easy one!

    thanks



  • Froussy
    can you please show some screenshots of how you configured this?
    I think I might be having a similar problem with my site-to-site vpn… thanks


Log in to reply