Pfsense to Pfsense Ipsec tunnel help needed

1

IpSec Tunnel Setup

Pfsense Box 1
Running DHCP and Resolver
IP range of LAN subnet = 10.1.1.0/24
WAN is set as DHCP and gets ip from ISP

IPSec Tunnel Info:
- Phase1:
Interface = LAN
Remote Gateway = 10.1.1.9 (Ip address of the Pfsense Box 2 is getting as it is connected to LAN network of Box 1)

- Phase2:
Mode = tunnel
Local Sunnet = 10.1.1.0/24
Remote Subnet = 172.10.10.0/24

Pfsense Box 2
- Phase1:
Interface = WAN
Remote Gateway = 10.1.1.1

- Phase2:
Mode = tunnel
Local Sunnet = 172.10.10.0/24 
Remote Subnet = 10.1.1.0/24

The issue:
I am currently working from a system that is attached to the 10.1.1.0/24 network on the Box 1 system. The tunnel is up and both phase1 and 2 f the tunnels is showing as connected. From the 10.1.1.0/24 network I can ping systems on the 172.10.10.0/24 network both by IP and FQDN name. This also holds true when I am connected to a VM on the 172.10.10.0/24 network, from that VM I can ping the gateway of both Pfsnese boxes, so network traffic between the two networks is passing through with out issue. The kicker is, from a vm or system on the 172.10.10.0/24 network I am unable to get out to the internet. Such as when I try and ping 8.8.8.8 or google.com the network doesn’t look to be either getting out or the return is not getting back in. I say not getting back in because when doing packet captures on both the Pfsense boxes I can see ICMP traffic coming through with the correct source and destination data.

I followed the instructions on Netgates docs page along with looking over and following along with other tuts to set up an ipsec tunnel.The difference with my setup is my tunnel are not connecting over both WAN connections but rather LAN (Pfsense Box1) to WAN (Pfsense Box2). As for firewall rules, under the IPSEC tab in Rules its wide open with the following,
Protocol = ip6
Source = *
Port = *
Dest = *
Port = *
Gateway = *
Queue = None

This type of rule is the same on both systems.

Any help with this would be awesome. Thank you

2
  1. Was the 172 network able to reach out to the internet before setting up the ipsec tunnel?
  2. What does the LAN rules look like for the 172 network?
  3. Also what do the rules look like on you NAT outboundfor the 172 network?
3

Hi xMAXIMUSx and thank you for your reply.

  1. Yes the 172 network was able to traverse out to the internet before setting up the tunnel. Not sure if
    its clear in my original post, the 172 network is on a separate pfsense box that has the WAN connection getting a DHCP ip address from the LAN network of Box 1 system.

Here’s a screen capture of the rules and NAT info you asked about. Ran into an issue not being able to post more than one image as I am a new user. So I created on big image.

Untitled 1
Untitled 1794×1123 78.8 KB

I want to put this out there. I am not great with networking as I’m sure is obvious. I’m following tuts as figuring this all out as I go as I do know enough to be dangerous.

Thank you again for the help.

4

Dang, I didn’t realize you commented back!

Personally I would set a wide open rule on your IPsec interface. Once you have an “any any” wide open rule on BOTH pfsense boxes on the IPsec interface your devices should start talking.

Right now you only have TCP traffic from the LAN to the WAN which is right.

Also no need to crate outbound rules or routes. Pfsense takes care of that for you.

Here is an example of my tunnels:

pfsense
pfsense1153×285 23.5 KB

The source is ONLY for the remote subnets on the other pfsense you have going through the tunnel.
The destination is what you want the remote subnets to talk to on the local subnets.

Then you would do the same thing on the other Pfsense box.

I hope this helps.