0

I have a strange problem with my IPsec VPN: I have 2 matched [hardware and software - 2.4.4 release p3] pfSense boxes at different locations. Each pfSense is a Firewall + DHCP server + Gateway for the local LAN. I have setup an IPsec tunnel between the two gateways, but while I can access both gateways from a local host, I can't connect to any remote hosts.

Additionally the local gateway can't ping the remote gateway.

  • Local host pings local gateway
  • Local host pings remote gateway
  • Local host cannot ping remote host
  • Local gateway cannot ping remote gateway

Local subnet: 192.168.10.0/24

Remote subnet: 192.168.9.0/24

Sitting at either location, I can access both gateways, but nothing else on the remote side.

Both gateways have the P1 and P2 settings exactly the same [apart from switching local and remote networks / gateways on the respective boxes]

Here are the P1 settings:

  • Key Exchange Version: IKEv2
  • Internet Protocol: Both (Dual Stack)
  • Interface: WAN [which is on a static IP]
  • Remote Gateway: Static Ip of remote Gateway

P2 Settings:

  • Mode: Tunnel IPv4
  • Local Network: 192.168.10.0/24 [this gets changed to .9.0 on the other box]
  • NAT/BINAT translation: none
  • Remote Network: 192.168.9.0/24 [this gets changed to .10.0 on the other box]

I tried disabling the firewall completely to see if that was the issue, but it had no effect.

Improve this question
7
  • 1
    Make sure the subnet mask on both ends is 255.255.255.0 so you can see the entire subnet at each end
    – anon
    Commented Oct 26, 2019 at 11:57
  • it seems more like a firewall problem on clients that prevent connections from a different network than the firewall on pfsense. also, how do host routes look like ?
    – Danfossi
    Commented Oct 27, 2019 at 17:17
  • @John: Both Subnets are 255.255.255.0
    – Shekhar Pathak
    Commented Oct 30, 2019 at 10:22
  • @Danfossi: I've tried with the firewalls off also [disabled from advanced settings] When you say host routes, do you mean static routes?
    – Shekhar Pathak
    Commented Oct 30, 2019 at 10:24
  • yes, among the static routes there should be a gateway (usually ipsec server) that allows you to reach the remote network. regarding the firewall I had a similar problem even with the firewall disabled, I solved only by adding the remote network among the exceptions of the firewall, for this I was asking you to check the firewall.
    – Danfossi
    Commented Oct 30, 2019 at 13:41

1 Answer 1

Reset to default
0

The issue is sorted,

I had setup the IPsec firewall rules to go though the gateway on which IPsec was configured.

Once I changed the gateway settings to Default, it worked [almost] perfectly.

Now I can access some remote hosts, but not all.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .