[solved] VPN Site to site , each side behind a router
InAr last edited by
I am trying to establish a working ipsec vpn connection between to sites. Each site is behind a router (fritzbox).
I have forwarded esp, udp 500 and udp 4500 to the lan interface of the pfsense machine on each side.
It seems like the tunnel gets created correctly but I it looks like I am missing some firewall or gateway settings for my special setup as I am not able to ping the remote pfsense machine through the tunnel, nor pinging the remote machine behind the pfsenses subnet.
What do I have to do to be able to ping the remote pfsense machine and the subnet behind the pfsense machine (192.168.199.0 <-> 192.168.198.0) ? through the tunnel
pfsense subnet: 192.168.189.0/24
productive subnet: 192.168.199.0/24
pfsense subnet: 192.168.197.0/24
productive subnet: 192.168.198.0/24
Status->IPsec "Overview" reports "stablished", the local IP is the ip of the wan interface connect to the local fritzbox router, the remote IP if the online IP of the remote fritzbox router.
| Description | Local ID | Local IP | Remote ID | Remote IP | Role | Reauth | Algo | Status |
| MyCon | 192.168.189.210 | 192.168.189.210
| 192.168.197.210 | "my online-ip"
Nat-T | IKEv2 responder | 6 Hours | "Algo stuff" | established
| Local subnets | Local SPI(s) | Remote subnets | Times | Algo | Stats |
| 192.168.189.0/24 | Local: c56eba5d
Remote: ca289392 | 192.168.197.0/24 |
Rekey: 20 minutes
Life: 37 minutes
Install: 22 minutes AES_CBC:256
Packets-In: 0 : 1370
Packets-Out: 0 : 1370
stegbth last edited by
i setup last weekend a similiar setup, there i had troubles with PSK, so i switched over to X509 certificates.
The tunnel got established and i was able to establish an gre tunnel.
Only point, the rekeying is currently not working as expected.
but was currently unable to do further tests.
InAr last edited by
PSK is working for me.
Pinging from pfsense host to pfsense host was working already, I didn't know about the -S option of the ping command to set the outgoing interface.
And it seems like I just had to add a second Phase 2 entry for the desired subnet (on each side).
After reestablishing the connection I now can ping the other subnet as well.
So everything is working at the moment.
mohammadreza73 last edited by
i have same problem and ipsec tunnel established nut traffic from two site not pass and packet droped like this
Packets-In: 0 : 550
Packets-Out: 0 : 0
how can i fix this enybody have this problem :'( :'( :'( :'( :'(