Can't ping from two networks linked by an IPsec tunnel



  • hi,
    i have two networks, each having a pfsense 2.2.4, and a IPsec tunnel linking them.
    From network A, if i ping an ip on B network, i have a reply from and 192.168.0.239 address, which should not exist but reply to ping (!). If i ping an ip on B which does not exists, i still have a reply from this 192.168.0.239 …

    From network B, i can't ping anything on network A.

    I just created ipsec config on both end, did not add any route.
    Even if i can't ping, i can use ip-based apps from one side to an other.

    What did i miss ? i dug as far as i could but have no leads...


  • Rebel Alliance Developer Netgate

    There are a large number of things at play there, including local networks and client firewalls that pfSense can't help (or hurt). You need to supply a lot more information, for example:

    IP address(es), subnet mask, and other config for the client/server PCs plus the firewall, IPsec Phase 2 entries, etc. Also the firewall rules for your IPsec tab and LAN(s) on both ends.



  • I'll give as much details as i can.
    At headquarters, local network is 10.230.1.0/24.
    The wan gateway at hedquarters is x.x.x.109, using a wan gateway of x.x.x.102 .

    At remote office, localnetwork is 176.16.5.0/24.
    The wan gateway is y.y.y.79.

    Firewall rules on lan and ipsec are on "allow all" (i have hideous things on the run and it simplify my life).

    I made screen cpas of phase 1 and 2 of the ipsec tunnel.

    The tunnel establishes well. From remote office, using ip, i can browse shares on headquarters servers. From headquarters i can't browse remote office.
    From remote office, pinging headquarters always fail.

    We used mostly default options on ipsec, we just used the "lowest" encryption possible to lighten the cpu charge.

    If i can provide any info to help …

    ![IPSec phase 1 headquarters.PNG](/public/imported_attachments/1/IPSec phase 1 headquarters.PNG)
    ![IPSec phase 1 headquarters.PNG_thumb](/public/imported_attachments/1/IPSec phase 1 headquarters.PNG_thumb)
    ![IPSec phase 2 headquarters.PNG](/public/imported_attachments/1/IPSec phase 2 headquarters.PNG)
    ![IPSec phase 2 headquarters.PNG_thumb](/public/imported_attachments/1/IPSec phase 2 headquarters.PNG_thumb)
    ![IPSec phase 1 remote office.PNG](/public/imported_attachments/1/IPSec phase 1 remote office.PNG)
    ![IPSec phase 1 remote office.PNG_thumb](/public/imported_attachments/1/IPSec phase 1 remote office.PNG_thumb)
    ![IPSec phase 2 remote office.PNG](/public/imported_attachments/1/IPSec phase 2 remote office.PNG)
    ![IPSec phase 2 remote office.PNG_thumb](/public/imported_attachments/1/IPSec phase 2 remote office.PNG_thumb)



  • We had an half-success, in the Ipsec rules we put only Tcp in the "pass" rule, with "any" we can ping from remote office to headquarters, put from headquarters when we ping, the reply comes from 192.168.0.239 …


Log in to reply