Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN connects, but I can't ping remote network

    Scheduled Pinned Locked Moved IPsec
    5 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      daileycomputer
      last edited by

      Hi there. I'm new to pfSense I need some help getting pfSense to connect an IPsec VPN. The client runs VOIP traffic over the VPN to the PBX on the other side.

      I'm replacing a crummy old Kentrox Q2300 on the local side with the pfSense. This device works as far as the VPN connection goes, it's just very slow and causing Internet connectivity problems. I don't know what's on the remote side and don't have direct access to configure the router. I have limited access to support on that side.

      The IPsec tunnel seems to connect, but I am unable to ping any machines on the far side of the VPN. I need help determining why.

      I've attached a few screenshots. I obscured the Local WAN Address, the Remote WAN Address and the preshared key.

      Kentrox Config 1.jpg and Kentrox Config 2.jpg show the current settings, which work.

      IPsec Phase 1.jpg and IPsec Phase 2.jpg show the current config on the new pfSense box. I did my best to recreate the settings on the Kentrox.

      IPSec Firewall Rules.jpg shows the very open firewall rules I setup for the IPsec VPN. My intention was to allow everything at this point.

      Below is the IPsec log, captured immediately after initiating the connection. Again, I obscured the WAN addresses on the local and remote sides.

      Any idea what I'm missing? Hopefully it's something obvious that I'll feel stupid about missing.

      I appreciate your help!

      Here's the log:

      
      Jul 6 19:06:04	charon: 06[CFG] no IKE_SA named 'con1000' found
      Jul 6 19:06:04	charon: 15[CFG] received stroke: initiate 'con1000'
      Jul 6 19:06:04	charon: 06[IKE] <con1000|2>initiating Main Mode IKE_SA con1000[2] to {Remote WAN Address}
      Jul 6 19:06:04	charon: 06[IKE] <con1000|2>initiating Main Mode IKE_SA con1000[2] to {Remote WAN Address}
      Jul 6 19:06:04	charon: 06[ENC] <con1000|2>generating ID_PROT request 0 [ SA V V V V V V ]
      Jul 6 19:06:04	charon: 06[NET] <con1000|2>sending packet: from {Local WAN Address}[500] to {Remote WAN Address}[500] (196 bytes)
      Jul 6 19:06:04	charon: 06[NET] <con1000|2>received packet: from {Remote WAN Address}[500] to {Local WAN Address}[500] (100 bytes)
      Jul 6 19:06:04	charon: 06[ENC] <con1000|2>parsed ID_PROT response 0 [ SA V ]
      Jul 6 19:06:04	charon: 06[IKE] <con1000|2>received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Jul 6 19:06:04	charon: 06[IKE] <con1000|2>received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Jul 6 19:06:04	charon: 06[ENC] <con1000|2>generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
      Jul 6 19:06:04	charon: 06[NET] <con1000|2>sending packet: from {Local WAN Address}[500] to {Remote WAN Address}[500] (244 bytes)
      Jul 6 19:06:05	charon: 06[NET] <con1000|2>received packet: from {Remote WAN Address}[500] to {Local WAN Address}[500] (244 bytes)
      Jul 6 19:06:05	charon: 06[ENC] <con1000|2>parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
      Jul 6 19:06:05	charon: 06[ENC] <con1000|2>generating ID_PROT request 0 [ ID HASH ]
      Jul 6 19:06:05	charon: 06[NET] <con1000|2>sending packet: from {Local WAN Address}[500] to {Remote WAN Address}[500] (68 bytes)
      Jul 6 19:06:05	charon: 06[NET] <con1000|2>received packet: from {Remote WAN Address}[500] to {Local WAN Address}[500] (68 bytes)
      Jul 6 19:06:05	charon: 06[ENC] <con1000|2>parsed ID_PROT response 0 [ ID HASH ]
      Jul 6 19:06:05	charon: 06[IKE] <con1000|2>IKE_SA con1000[2] established between {Local WAN Address}[{Local WAN Address}]...{Remote WAN Address}[{Remote WAN Address}]
      Jul 6 19:06:05	charon: 06[IKE] <con1000|2>IKE_SA con1000[2] established between {Local WAN Address}[{Local WAN Address}]...{Remote WAN Address}[{Remote WAN Address}]
      Jul 6 19:06:05	charon: 06[IKE] <con1000|2>scheduling reauthentication in 42420s
      Jul 6 19:06:05	charon: 06[IKE] <con1000|2>scheduling reauthentication in 42420s
      Jul 6 19:06:05	charon: 06[IKE] <con1000|2>maximum IKE_SA lifetime 42960s
      Jul 6 19:06:05	charon: 06[IKE] <con1000|2>maximum IKE_SA lifetime 42960s
      Jul 6 19:06:05	charon: 06[IKE] <con1000|2>DPD not supported by peer, disabled
      Jul 6 19:06:05	charon: 06[IKE] <con1000|2>DPD not supported by peer, disabled
      Jul 6 19:06:05	charon: 06[ENC] <con1000|2>generating QUICK_MODE request 3689710999 [ HASH SA No ID ID ]
      Jul 6 19:06:05	charon: 06[NET] <con1000|2>sending packet: from {Local WAN Address}[500] to {Remote WAN Address}[500] (172 bytes)
      Jul 6 19:06:05	charon: 10[NET] <con1000|2>received packet: from {Remote WAN Address}[500] to {Local WAN Address}[500] (68 bytes)
      Jul 6 19:06:05	charon: 10[ENC] <con1000|2>parsed INFORMATIONAL_V1 request 2848750997 [ HASH N(INITIAL_CONTACT) ]
      Jul 6 19:06:05	charon: 10[NET] <con1000|2>received packet: from {Remote WAN Address}[500] to {Local WAN Address}[500] (68 bytes)
      Jul 6 19:06:05	charon: 10[ENC] <con1000|2>parsed INFORMATIONAL_V1 request 3867220343 [ HASH N(INVAL_ID) ]
      Jul 6 19:06:05	charon: 10[IKE] <con1000|2>received INVALID_ID_INFORMATION error notify
      Jul 6 19:06:05	charon: 10[IKE] <con1000|2>received INVALID_ID_INFORMATION error notify</con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2> 
      ```![Kentrox Config 1.jpg](/public/_imported_attachments_/1/Kentrox Config 1.jpg)
      ![Kentrox Config 1.jpg_thumb](/public/_imported_attachments_/1/Kentrox Config 1.jpg_thumb)
      ![Kentrox Config 2.jpg](/public/_imported_attachments_/1/Kentrox Config 2.jpg)
      ![Kentrox Config 2.jpg_thumb](/public/_imported_attachments_/1/Kentrox Config 2.jpg_thumb)
      ![IPsec Phase 1.jpg](/public/_imported_attachments_/1/IPsec Phase 1.jpg)
      ![IPsec Phase 1.jpg_thumb](/public/_imported_attachments_/1/IPsec Phase 1.jpg_thumb)
      ![IPsec Phase 2.jpg](/public/_imported_attachments_/1/IPsec Phase 2.jpg)
      ![IPsec Phase 2.jpg_thumb](/public/_imported_attachments_/1/IPsec Phase 2.jpg_thumb)
      ![IPSec Firewall Rules.jpg](/public/_imported_attachments_/1/IPSec Firewall Rules.jpg)
      ![IPSec Firewall Rules.jpg_thumb](/public/_imported_attachments_/1/IPSec Firewall Rules.jpg_thumb)
      1 Reply Last reply Reply Quote 0
      • Y
        yaboc
        last edited by

        in ipsec rules tab try setting the ipv4 protocol to 'any'.

        1 Reply Last reply Reply Quote 0
        • D
          daileycomputer
          last edited by

          Thank you. I'll try that tonight and report back.

          1 Reply Last reply Reply Quote 0
          • P
            pauldy
            last edited by

            Did you get this functional?

            1 Reply Last reply Reply Quote 0
            • D
              daileycomputer
              last edited by

              I did, two days ago. It turns out the problem wasn't my end at all. The guy in charge of the router on the other end transposed some number or something (he was kind of vague about it) so my connection wasn't authorized to access anything on his network. I'm pretty sure he just typed in my external IP wrong.

              He fixed that on his end, and voila, a perfect connection. The client is very happy.

              Thanks for the help, and for the reminder to update the thread!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.