Ah. Thank you, that makes sense. Greg
> On Apr 24, 2015, at 09:55 , Adam Thompson <[email protected]> wrote: > > It's not a routing issue, it's a bug/mis-feature in FreeBSD's IPSec stack. > See > https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN > for more info. > -Adam > > > > > On 04/24/2015 09:37 AM, Gregory K Shenaut wrote: >> I have two pfSense boxes connected via an IPSEC tunnel. >> >> I'm confused about whether a route gets added automatically to the remote >> network end of an IPSEC tunnel when the tunnel comes up. I was under the >> impression that there was no need to be concerned with routing between the >> two subnets within the pfSense boxes, that they would “know” about a remote >> subnet and route to it automatically. >> >> However, currently the tunnel can be up, hosts in either remote subnet can >> ping each other, but the pfSense boxes themselves can't ping hosts in the >> remote subnet, including the LAN address of the other pfSense host to which >> they are connected. >> >> And if I do add a static route, what should I use as the gateway? Devices in >> the local subnet just use the LAN address as the gateway, but that doesn't >> seem appropriate for the pfSense box. The tunnel goes out over the WAN >> address, but using that as the pfsense box's gateway to the remote subnet >> doesn't seem right either. >> >> While in this anomalous state, if I look at the IPSEC status, I see the >> correct networks in Local subnets and Remote subnets in both boxes. Both >> boxes have only a “pass all ipv4” firewall rule for IPSEC. If I look at the >> routing tables, there is no route to the remote subnet. >> >> I also have dead peer detection enabled, which if I understand it correctly, >> requires that the other side's LAN address be pingable. >> >> What could cause this situation, and what is the solution? >> >> Thanks for any suggestions. >> >> Greg Shenaut >> _______________________________________________ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold > > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
