I have two pfSense boxes connected via an IPSEC tunnel. I'm confused about whether a route gets added automatically to the remote network end of an IPSEC tunnel when the tunnel comes up. I was under the impression that there was no need to be concerned with routing between the two subnets within the pfSense boxes, that they would “know” about a remote subnet and route to it automatically.
However, currently the tunnel can be up, hosts in either remote subnet can ping each other, but the pfSense boxes themselves can't ping hosts in the remote subnet, including the LAN address of the other pfSense host to which they are connected. And if I do add a static route, what should I use as the gateway? Devices in the local subnet just use the LAN address as the gateway, but that doesn't seem appropriate for the pfSense box. The tunnel goes out over the WAN address, but using that as the pfsense box's gateway to the remote subnet doesn't seem right either. While in this anomalous state, if I look at the IPSEC status, I see the correct networks in Local subnets and Remote subnets in both boxes. Both boxes have only a “pass all ipv4” firewall rule for IPSEC. If I look at the routing tables, there is no route to the remote subnet. I also have dead peer detection enabled, which if I understand it correctly, requires that the other side's LAN address be pingable. What could cause this situation, and what is the solution? Thanks for any suggestions. Greg Shenaut _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
