It's not a routing issue, it's a bug/mis-feature in FreeBSD's IPSec stack.
See
https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN
for more info.
-Adam
On 04/24/2015 09:37 AM, Gregory K Shenaut wrote:
I have two pfSense boxes connected via an IPSEC tunnel.
I'm confused about whether a route gets added automatically to the remote
network end of an IPSEC tunnel when the tunnel comes up. I was under the
impression that there was no need to be concerned with routing between the two
subnets within the pfSense boxes, that they would “know” about a remote subnet
and route to it automatically.
However, currently the tunnel can be up, hosts in either remote subnet can ping
each other, but the pfSense boxes themselves can't ping hosts in the remote
subnet, including the LAN address of the other pfSense host to which they are
connected.
And if I do add a static route, what should I use as the gateway? Devices in
the local subnet just use the LAN address as the gateway, but that doesn't seem
appropriate for the pfSense box. The tunnel goes out over the WAN address, but
using that as the pfsense box's gateway to the remote subnet doesn't seem right
either.
While in this anomalous state, if I look at the IPSEC status, I see the correct
networks in Local subnets and Remote subnets in both boxes. Both boxes have
only a “pass all ipv4” firewall rule for IPSEC. If I look at the routing
tables, there is no route to the remote subnet.
I also have dead peer detection enabled, which if I understand it correctly,
requires that the other side's LAN address be pingable.
What could cause this situation, and what is the solution?
Thanks for any suggestions.
Greg Shenaut
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
