IPsec Tunnels with Peplink
Hi. I have a somewhat bizarre situation. This is probably more a question for peplink support, but on the chance someone's encountered this or can give any advice here goes.
I have 3 private networks located in 3 different locations. One is using pfsense as a router while the other 2 have identical peplink hardware. From pfsense to each peplink there's an IPsec tunnel, and from each peplink to the pfsense machine there's an IPsec tunnel. And things are dandy between pfsense and the first peplink. Machines on one side can talk to machines on the other and vice versa.
However, I can ssh, ping, what have you from pfsense to the second peplink, but not vice versa. So as I say, probably a question for peplink support as the failure is from peplink to pfsense. What's odd though, is the setup on both peplinks are virtually identical. I mean, both me and a co-worker have looked things over multiple times. So…I'm at a complete loss and would very much welcome any help or advice. Thanks for your time.
PS. Here's some tcpdump output for good measure. Atlanta is pfsense.
wsip.oc.oc.cox.net > atlanta.hfc.comcastbusiness.net: ESP(spi=0x0d5217d2,seq=0xb53), length 148 wsip.oc.oc.cox.net.isakmp > atlanta.hfc.comcastbusiness.net.isakmp: isakmp 1.0 msgid cookie ->: phase 2/others ? inf[E]: [encrypted hash] atlanta.hfc.comcastbusiness.net.isakmp > wsip.oc.oc.cox.net.isakmp: isakmp 1.0 msgid cookie ->: phase 2/others ? inf[E]: [encrypted hash] wsip.oc.oc.cox.net > atlanta.hfc.comcastbusiness.net: ESP(spi=0x0d5217d2,seq=0xb54), length 228
Hi Glen, Martin from Peplink here. I'd like to see if I can help you with this. Can you log a ticket here: http://cs.peplink.com/contact/support/ and attached diagnostic reports from both Peplinks to the ticket so I can get engineering to take a look for you?
Mention me in the ticket so they know to keep me in the loop.
So I'm an idiot. There wasn't an IPsec allow rule on the firewall setup. In my defense, it's more than 3 private networks actually, and I didn't set things up, and sitting there staring at the firewall rules it kinda all looks dandy even when you're having problems. Man, props to the peplink guys though as they went above and beyond. Ha, in my defense again though, I'm the guy that stared at the pfctl -sa output and finally had things dawn on me. Anyhow, if anyone else encounters this issue? Don't be an idiot?