Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [solved] VPN Site to site , each side behind a router

    Scheduled Pinned Locked Moved IPsec
    4 Posts 3 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I Offline
      InAr
      last edited by

      Hello,

      I am trying to establish a working ipsec vpn connection between to sites. Each site is behind a router (fritzbox).

      I have forwarded esp, udp 500 and udp 4500 to the lan interface of the pfsense machine on each side.

      It seems like the tunnel gets created correctly but I it looks like I am missing some firewall or gateway settings for my special setup as I am not able to ping the remote pfsense machine through the tunnel, nor pinging the remote machine behind the pfsenses subnet.

      What do I have to do to be able to ping the remote pfsense machine and the subnet behind the pfsense machine (192.168.199.0 <-> 192.168.198.0) ? through the tunnel

      Leftside:
      pfsense subnet: 192.168.189.0/24
      productive subnet: 192.168.199.0/24

      Rightside:
      pfsense subnet: 192.168.197.0/24
      productive subnet: 192.168.198.0/24

      Status->IPsec "Overview"  reports "stablished", the local IP is the ip of the wan interface connect to the local fritzbox router, the remote IP if the online IP of the remote fritzbox router.

      | Description | Local ID | Local IP | Remote ID | Remote IP | Role | Reauth | Algo | Status |
      | MyCon | 192.168.189.210 | 192.168.189.210
      Port 4500
      Nat-T
      | 192.168.197.210 | "my online-ip"
      Port 4500
      Nat-T | IKEv2 responder | 6 Hours | "Algo stuff" | established
      65 minutes
      ago |

      | Local subnets | Local SPI(s) | Remote subnets | Times | Algo | Stats |
      | 192.168.189.0/24 | Local: c56eba5d
      Remote: ca289392 | 192.168.197.0/24 |
      Rekey: 20 minutes
      Life: 37 minutes
      Install: 22 minutes  AES_CBC:256
      |
      "algo stuff"
      |
      Bytes-In: 0
      Packets-In: 0 : 1370
      Bytes-Out: 0
      Packets-Out: 0 : 1370 
      |

      Thank you.

      Ingo

      1 Reply Last reply Reply Quote 0
      • S Offline
        stegbth
        last edited by

        Hi,

        i setup last weekend a similiar setup, there i had troubles with PSK, so i switched over to X509 certificates.
        The tunnel got established and i was able to establish an gre tunnel.
        Only point, the rekeying is currently not working as expected.

        but was currently unable to do further tests.

        best regards
        Thomas

        https://forum.pfsense.org/index.php?topic=95910.0

        1 Reply Last reply Reply Quote 0
        • I Offline
          InAr
          last edited by

          Hello,

          PSK is working for me.

          Pinging from pfsense host to pfsense host was working already, I didn't know about the -S option of the ping command to set the outgoing interface.

          And it seems like I just had to add a second Phase 2 entry for the desired subnet (on each side).
          After reestablishing the connection I now can ping the other subnet as well.

          So everything is working at the moment.

          1 Reply Last reply Reply Quote 0
          • M Offline
            mohammadreza73
            last edited by

            i have same problem and ipsec tunnel established nut traffic from two site not pass and packet droped like this

            Bytes-In: 0
            Packets-In: 0 : 550
            Bytes-Out: 0
            Packets-Out: 0 : 0

            how can i fix this enybody have this problem  :'( :'( :'( :'( :'(

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.