• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

IPsec ping host for keepalive doesn't work

Scheduled Pinned Locked Moved IPsec
7 Posts 3 Posters 5.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    dlogan
    last edited by Jun 24, 2015, 4:16 PM

    In Diagnostics -> Ping, iff the source is set to LAN, the pings work. But if I set the source to Localhost, the pings fail.

    In my IPSec setup, I have a ping host set to an IP on the other side of the VPN to keep the tunnel alive.  It does not keep the tunnel alive, I'm assuming (and I could very well be wrong) this is because Localhost is unable to ping the address.  When a host inside the LAN tries to ping the address, the first ping fails while the VPN is being established, then all is well.  This is slightly inconvenient, however.

    What interface would the IPSec ping host use to try to ping?

    There is no tab for Localhost in firewall rules, so I'm not sure how to address this.

    I have a rule for IPSec that says allow All ipv4 from anywhere to anywhere.

    1 Reply Last reply Reply Quote 0
    • D
      doktornotor Banned
      last edited by Jun 24, 2015, 4:27 PM

      @dlogan:

      In Diagnostics -> Ping, iff the source is set to LAN, the pings work. But if I set the source to Localhost, the pings fail.

      https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN

      For the rest:

      https://doc.pfsense.org/index.php/What_should_I_ping_for_IPsec_Keep_Alive

      1 Reply Last reply Reply Quote 0
      • D
        dlogan
        last edited by Jun 24, 2015, 4:39 PM

        Thanks, but that doesn't seem to help.  If I select LAN as the source of the ping, it works.

        If I select Localhost as the source of the ping, it does not work.

        This may or may not be the reason why the Automatically ping host under IPSec setup doesn't work, I was just making a guess there.

        I added the LAN Gateway and Static Route as suggested by that article but it has no effect.

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by Jun 24, 2015, 4:41 PM

          I did not suggest adding GW anywhere. I was explaining out why pinging from "localhost" does not work.

          As noted by the second article, the pfSense box must have an IP inside Local Network specified in the P2. Otherwise it won't work.

          1 Reply Last reply Reply Quote 0
          • D
            dlogan
            last edited by Jun 24, 2015, 4:53 PM

            I'm not sure I'm following you.  Inside the Phase 2 entry, for Local Network, I have LAN Subnet selected, as to allow any device on the LAN to initiate the VPN tunnel.  The LAN interface of the pfSense box has an address inside that LAN Subnet.
            i.e. the LAN subnet is 192.168.0.0/24 and the LAN interface of the pfSense box has address 192.168.0.1/24

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by Jun 25, 2015, 2:30 AM

              The traffic must match the P2 to go across the VPN. When you source from localhost, the source IP is 127.0.0.1, which isn't going to be part of your IPsec connection. That's not what the IPsec keepalive does.

              Go to a command prompt, and run 'ps auwx | grep ping_host' to see if it's actually running. Should see something like:

              : ps auwx | grep ping_hosts
              root    96764   0.0  0.0  12404   1996  -  Is   Tue02AM     0:00.00 /usr/local/bin/minicron 240 /var/run/ping_hosts.pid /usr/local/bin/ping_hosts.sh
              root    97078   0.0  0.0  12404   2008  -  I    Tue02AM     0:00.10 minicron: helper /usr/local/bin/ping_hosts.sh  (minicron)
              root    64343   0.0  0.0  18876   2384  1  S+    9:28PM     0:00.01 grep ping_hosts
              
              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by Jul 17, 2015, 6:04 AM

                In addition to answers to the previous post, also try running```
                ping_hosts.sh

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received