2.2.5: ikev2 tunnel up, but pfSense not responding to ARP request



  • I've got an ikev2 tunnel setup according to the instructions here
    https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2
    I'm using pfSense 2.2.5 and have not tried previous versions.  I previously tried to get an L2TP/IPsec connection working, but apparently this is broken (IPsec establishes, but no packets sent to L2TP server).

    I connect from Win7 and the connection is made quickly and all appears well as far as I can tell from the IPsec logs.  However, I cannot get a simple ping to work.

    The IPsec tunnel is coming in over the WAN port.  The LAN port of pfSense is 10.10.10.20/16.

    The Phase1 Interface is set to WAN.  The Phase2 Local Network is set to LAN subnet (10.10.0.0/16).  The Mobile clients Virtual Address Pool is set to 10.10.40.0/24.

    The Windows client gets a tunnel address of 10.10.40.1 upon connection.  I try to ping a machine on my LAN at 10.10.11.0.  Running Wireshark on that machine shows that the ping does indeed arrive.  However, the target machine never replies. The reason is that it does an ARP request for 10.10.40.1, but it gets no reply from the pfSense box.

    Dumping the ARP table in pfSense shows no entry for 10.10.40.1.  Trying to ping 10.10.40.1 from the pfSense box results in "Host is down".

    The firewall rules for LAN and IPsec are wide open, ie IPv4 * * * * * * *
    I've also got logging turned on in these all-pass rules and I only ever see the outbound packet on the IPsec interface.  It never shows up in the logs on the LAN interface.  I never see an inbound packet destined for 10.10.40.1.

    The only NAT rules I have are "Automatic outbound NAT rule generation".  There is no NAT established for this tunnel on the LAN.

    If it matters, the pfSense box is "directly on the internet", but the Windows machine that is trying to make an ikev2 connection is behind a NAT box.

    Hopefully, I'm missing something basic.  Thanks for any hints.
    -todd-



  • It's not supposed to respond to ARP. You should usually put that as something off-subnet. If you want it as part of your LAN subnet, you'll need to configure proxy ARP on LAN for the mobile /24.



  • That did it!  Proxy ARP to the rescue.

    Added the subnet under Virtual IPs and BAM!  A tunnel I had previously established that was constantly pinging and printing failures all of a sudden started returning ping times.  :D

    Thank you very much for the quick reply and the hint!


Log in to reply