pfSense Support Subscription

Author Topic: 1.2.3 RC3 - IPSEC works for clients, pf box unable to ping other end of tunnel  (Read 2611 times)

0 Members and 1 Guest are viewing this topic.

Offline darkpixel

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
I have a fairly simple setup.
Main office has a SonicWALL (10.1.1.254/24)
Satellite office has a newly installed pfSense box (10.5.10.254/24)

I set the pfSense box up in place of an old SonicWALL.  Everything is working normally.  Clients on both networks can communicate without problems.

The strange thing I am seeing is that the pfSense box (10.5.10.254) can't talk to anything in 10.1.1.0/24.

Looking at the routing table on the pfsense box, I don't see anything for 10.1.1.0/24 even though clients are able to access resources in 10.1.1.0/24

This is my first IPSEC VPN setup.  Once all the SonicWALLs have been replaced with pfSense boxes, I want to switch back to OpenVPN.

Is this normal for IPSEC?  Did I find a bug in 1.2.3-RC3?

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21312
  • Karma: +1423/-26
    • View Profile
IPsec doesn't route like other protocols. The magic all happens in the kernel, you'll never see the "routes".

You have two choices to get traffic to move along the tunnel from the pfSense box itself. The first is to add a static route on the LAN interface pointing the remote subnet to the LAN interface IP. That will "trick" traffic into entering the tunnel.

If you're just worried about ping, you can try:
ping -S <pfsense lan ip> <remote ip address>

That will source the ping from the LAN IP, which will enter the tunnel as expected.

Much of this is covered in the doc wiki

http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP%2C_use_syslog%2C_NTP%2C_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline darkpixel

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Thanks for the pointer--I totally missed that doc on my first trip through the FAQ.
Not being a BSD guy, I couldn't remember the darn ping flag to send traffic through the LAN interface.

SonicWALLs suffer from this exact same problem....I wonder what they use as their base OS... ;)