IPsec on pfSense: Tunnel is up, but I can't connect to remote host
The issue is sorted,
I had setup the IPsec firewall rules to go though the gateway on which IPsec was configured.
Once I changed the gateway settings to Default, it worked [almost] perfectly.
Now I can access some remote hosts, but not all.
Related videos on Youtube
Shekhar Pathak
Updated on September 18, 2022Comments
-
Shekhar Pathak over 1 year
I have a strange problem with my IPsec VPN: I have 2 matched [hardware and software - 2.4.4 release p3] pfSense boxes at different locations. Each pfSense is a Firewall + DHCP server + Gateway for the local LAN. I have setup an IPsec tunnel between the two gateways, but while I can access both gateways from a local host, I can't connect to any remote hosts.
Additionally the local gateway can't ping the remote gateway.
- Local host pings local gateway
- Local host pings remote gateway
- Local host cannot ping remote host
- Local gateway cannot ping remote gateway
Local subnet: 192.168.10.0/24
Remote subnet: 192.168.9.0/24
Sitting at either location, I can access both gateways, but nothing else on the remote side.
Both gateways have the P1 and P2 settings exactly the same [apart from switching local and remote networks / gateways on the respective boxes]
Here are the P1 settings:
- Key Exchange Version: IKEv2
- Internet Protocol: Both (Dual Stack)
- Interface: WAN [which is on a static IP]
- Remote Gateway: Static Ip of remote Gateway
P2 Settings:
- Mode: Tunnel IPv4
- Local Network: 192.168.10.0/24 [this gets changed to .9.0 on the other box]
- NAT/BINAT translation: none
- Remote Network: 192.168.9.0/24 [this gets changed to .10.0 on the other box]
I tried disabling the firewall completely to see if that was the issue, but it had no effect.
-
John over 4 yearsMake sure the subnet mask on both ends is 255.255.255.0 so you can see the entire subnet at each end
-
Danfossi over 4 yearsit seems more like a firewall problem on clients that prevent connections from a different network than the firewall on pfsense. also, how do host routes look like ?
-
Shekhar Pathak over 4 years@John: Both Subnets are 255.255.255.0
-
Shekhar Pathak over 4 years@Danfossi: I've tried with the firewalls off also [disabled from advanced settings] When you say host routes, do you mean static routes?
-
Danfossi over 4 yearsyes, among the static routes there should be a gateway (usually ipsec server) that allows you to reach the remote network. regarding the firewall I had a similar problem even with the firewall disabled, I solved only by adding the remote network among the exceptions of the firewall, for this I was asking you to check the firewall.
-
Shekhar Pathak over 4 years@Danfossi I can't assign an interface in the Static Routes, i only get the gateways System > Routing > Static Routes. In Firewall > Rules > Interface I have added rule to allow all traffic from the remote LAN address. Should I also add a rule to allow all traffic from the remote WAN address as well?
-
Danfossi over 4 yearsI am attaching the official netgate routing setup procedure: docs.netgate.com/pfsense/en/latest/vpn/ipsec/… (follow only: "allow-ipsec-traffic-through-the-firewall" section) and make sure you have created the rule as described. if you prefer the routed configuration (static route) you should follow these steps instead: docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-routed.html