Roland Giesler
2018-02-08 16:16:17 UTC
I'm trying to find a solution and know there are quite a few pfSense users
here, so here goes...
We've set up some IPSec tunnels and they connect. The Phase2 also "comes
up", but we can't reach the hosts specified in the Phase2 "remote network".
One instance (to keep it simpler):
WAN gateway: x.x.x.x (primary firewall interface)
Phase1:
Interface: Virtual IP a.a.a.a
Phase2:
Local address: address c.c.c.c
Local NAT translation: address a.a.a.a
Remote address: r.r.r.r (A public ip)
When phase1 and 2 are up and connected, I see no route for r.r.r.r in the
routing table.
Doing a traceroute from c.c.c.c, I get traffic leaving the network via
x.x.x.x, not via a.a.a.a. This could be because x.x.x.x is just a virtual
address though, or what?
In the firewall log I see:
Feb 8 18:07:40 ► IPsec
<https://mailtrack.io/trace/link/3810b0b653bf2d2e2cba22508a65c8ee1e61d53a?url=https%3A%2F%2Fin.gtst.xyz%2Feasyrule.php%3Faction%3Dblock%26int%3Dipsec%26src%3D41.75.111.178%26ipproto%3Dinet&userId=977006&signature=20ffc7b51058b751>
a.a.a.a:57914
<https://mailtrack.io/trace/link/1a280d2835c7f522f38efd56201a0eb835d0bb60?url=https%3A%2F%2Fin.gtst.xyz%2Feasyrule.php%3Faction%3Dpass%26int%3Dipsec%26proto%3Dtcp%26src%3D41.75.111.178%26dst%3D196.201.107.67%26dstport%3D21410%26ipproto%3Dinet&userId=977006&signature=9606a76d3910d126>
r.r.r.r:12345 TCP:S
So traffic is being allowed via IPsec from a.a.a.a to r.r.r.r, but I'm not
getting any response from the remote.
What is going on here? Should there be a route to r.r.r.r in the routing
table or does pfSense hide some mechanics of the ports and routes from me?
Thanks
Roland
here, so here goes...
We've set up some IPSec tunnels and they connect. The Phase2 also "comes
up", but we can't reach the hosts specified in the Phase2 "remote network".
One instance (to keep it simpler):
WAN gateway: x.x.x.x (primary firewall interface)
Phase1:
Interface: Virtual IP a.a.a.a
Phase2:
Local address: address c.c.c.c
Local NAT translation: address a.a.a.a
Remote address: r.r.r.r (A public ip)
When phase1 and 2 are up and connected, I see no route for r.r.r.r in the
routing table.
Doing a traceroute from c.c.c.c, I get traffic leaving the network via
x.x.x.x, not via a.a.a.a. This could be because x.x.x.x is just a virtual
address though, or what?
In the firewall log I see:
Feb 8 18:07:40 ► IPsec
<https://mailtrack.io/trace/link/3810b0b653bf2d2e2cba22508a65c8ee1e61d53a?url=https%3A%2F%2Fin.gtst.xyz%2Feasyrule.php%3Faction%3Dblock%26int%3Dipsec%26src%3D41.75.111.178%26ipproto%3Dinet&userId=977006&signature=20ffc7b51058b751>
a.a.a.a:57914
<https://mailtrack.io/trace/link/1a280d2835c7f522f38efd56201a0eb835d0bb60?url=https%3A%2F%2Fin.gtst.xyz%2Feasyrule.php%3Faction%3Dpass%26int%3Dipsec%26proto%3Dtcp%26src%3D41.75.111.178%26dst%3D196.201.107.67%26dstport%3D21410%26ipproto%3Dinet&userId=977006&signature=9606a76d3910d126>
r.r.r.r:12345 TCP:S
So traffic is being allowed via IPsec from a.a.a.a to r.r.r.r, but I'm not
getting any response from the remote.
What is going on here? Should there be a route to r.r.r.r in the routing
table or does pfSense hide some mechanics of the ports and routes from me?
Thanks
Roland