Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] IPsec Site-to-Site VNP, static IP can't go through

    Scheduled Pinned Locked Moved IPsec
    11 Posts 3 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jchen
      last edited by

      I setup IPsec site-to-site tunnel with v2.2, the tunnel is up between 2 networks for all DHCP clients on both sides.

      Site A                        Site B
      10.50.196.0/24 <=> 10.50.200.0/24

      A PC who gets IP from the DHCP server (either dynamic IP or preferred IP defined in DHCP for its MAC) can ping any of PC who gets the IP in the same way. The DHCP ranges are:
      Site A                        Site B
      10.50.196.100-200  10.50.200.100-200

      However on static IP PC (the IP in the same subnet defined in IPsec phase 2) can not ping any PC in another side, and can not be pinged by any PC from another side. For example a Windows Server DC (e.g. 10.50.196.5) must use a static IP. We are not able to ping it from 10.50.200.0 subnet

      In the firewall rules I configured all traffics from any source to any destination are allowed in both LAN (10.50.196.0/24 and 10.50.200/24) and IPsec.

      When I ping 10.50.196.5 from 10.50.200.105, I saw firewall logs that the ICMP packet pass through for LAN on both side, but nothing in the IPsec logs. The ping got timeout simply:(.

      Does IPsec tunnel only allow DHCP client pass through?

      1 Reply Last reply Reply Quote 0
      • M
        MLIT
        last edited by

        IPSec doesn't care whether or not the address is statically or dynamically assigned.

        Have you done packet captures whether the computer is receiving the ICMP packet from the other end of the tunnel? Have you done a packet capture on the LAN side of both firewalls to verify whether the ICMP packet is going across the tunnel?

        1 Reply Last reply Reply Quote 0
        • J
          jchen
          last edited by

          I captured the wireshark traces on the pinged PC. The ICMP packet reached the destination PC, that means it went through the IPsec tunnel. It looks the incoming ICMP message have problem ("no responses found") after it passed through the VPN tunnel.

          The attached wireshark screenshot was the ping from site B (10.50.200.109) to site A (10.50.196.5, static IP). The destination PC ignored the ping because the ICMP message had defect. Does pfSense IPsec make it?

          ping_issue.png
          ping_issue.png_thumb

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Check everything regarding the static.  Specifically, make sure the gateway is the same (pfSense) and that its firewall allows pings (connections) from foreign networks.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • J
              jchen
              last edited by

              Thank you for reply. The GW is in the same subnet of pfSense (Actually the GW is the LAN interface IP of pfSense). I don't know how to let firewall allow ping from foreign networks. However my static IP (10.50.196.5) is in the scope of LAN IP (10.50.196.0/24) and the scope of the remote subnet defined in IPsec phase 2 of the other end.

              In the firewall rule of LAN and IPsec, I enabled everything. The screenshot is the site A firewall rule for LAN and IPsec, and the site B IPsec phase2 settings.

              Firewall_IPsecPhase2.png
              Firewall_IPsecPhase2.png_thumb

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                None of this has anything to do with static vs dynamic addressing. IPsec doesn't care one bit.

                As I already said, check that the static addressing (gateway, netmask, etc) is the same on the static host as it is for the dynamic clients.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • M
                  MLIT
                  last edited by

                  @jchen:

                  The destination PC ignored the ping because the ICMP message had defect. Does pfSense IPsec make it?

                  I don't think you have an issue with your settings or the packet wouldn't have traveled across the tunnel. Why do you think the ICMP packet has a defect? Is the firewall enabled on the PC? Can you shut it off and test again?

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    I am operating on the presumption that DHCP clients CAN ping the server and static clients CAN'T.  Otherwise, why have this thread at all?

                    If that is not the case and nobody can ping it across the tunnel, then it's the windows firewall, or the default gateway on the target server.

                    I don't know how to let firewall allow ping from foreign networks.

                    You need to google it then.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • J
                      jchen
                      last edited by

                      Thank you Derelict for the reply. The actually result is anybody (either static client or DHCP client) CAN NOT ping the server because the server is static IP, although the server IP is in the subnet of the LAN.

                      It looks it is not the windows firewall. Because if I change a client from static to DHCP and renew the lease, it will be able to ping DHCP clients of the other site immediately, or to be pinged by DHCP clients from the other site. If I change a client from DHCP to static, it will lose all communications, even if the static IP is in the DHCP scope.

                      Since all static clients are in the same subnet, and the default gateway is the LAN interface of pfSense, why we need something for "foreign networks"?

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        I'm telling you…  IPsec doesn't care.  You need to find the difference between the DHCP assignment and the static assignment and you will fix your problem.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • J
                          jchen
                          last edited by

                          Thank you guys. My problem is solved. After comparing the deference between static IP and DHCP IP, I found the static IP PC was using subnet mask 255.255.0.0 instead of 255.255.255.0. Then problem is gone after I changed it to 255.255.255.0.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.