Chris Buechler wrote:
On Tue, Sep 22, 2009 at 11:10 PM, Evgeny Yurchenko <[email protected]> wrote:
I can not ping 10.29.11.1 or 10.29.11.2 from any host connected to LAN
pfSense1. Traffic does not go over IPSec but instead natted and goes to
Internet.
On WAN (ng0):
20:29:13.951253 IP x.x.x.106 > 10.29.11.1: ICMP echo request, id 1781, seq
6706, length 40
20:29:19.451065 IP x.x.x.106 > 10.29.11.1: ICMP echo request, id 1781, seq
6962, length 40
20:29:24.950912 IP x.x.x.106 > 10.29.11.1: ICMP echo request, id 1781, seq
7218, length 40
Can anybody explain this?
If it's initiated from the firewall, and initiated from a source IP
that's part of the IPsec connection, it will traverse the IPsec. If
you don't tell it where to initiate, and you don't have the static
route described in the aforementioned FAQ, it will follow the system
routing table which generally means it won't go over IPsec.
I totally understand it and agree, but my purpose is to allow hosts from
one subnet reach another (remote) subnet and this does not work.
This trace is for the case when traffic initiated by PC 10.29.1.34
(connected to LAN pfSense1).
I mentioned "traffic initiated from the firewall" only to demonstrate
that IPSec tunnel is up and running.
Eugene
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
