I have an IPSEC tunnel established. On the far side (Netgate appliance) I have traffic properly routing local net to remote net. On the near side, I cannot get a ping to the remote net.
My trace route shows the traffic hit the firewall and hop out to the ISP. As if the installed route isn't installed.
Does anyone know how I can test this further? First thing that comes to mind is to reboot the firewall but I cannot do that at this time.
If it's a policy-based IPSec check the SPDs.
If it's a VTI check the routing table.
If you have further troubles with this come back with more details.
It is VTI
V2 Key Exchange
Local Site Opnsense
LAN - 172.19.19.0/24
Phase 1
Mutual PSK
| Local ID | WAN IP Address |
| Peer ID | WAN IP Address |
| Encryption | AES 256 |
| Hash | SHA 256 |
| DH | 14 |
| Lifetime | 86400 |
Phase 2
Mode: VTI
Local Address
10.242.10.1
Remote Address
10.242.10.2
IPSEC Interface assigned and enabled.
Remote subnet 10.1.10.0/24 static routed to automatically generated 10.242.10.2 gateway.
10.1.10.0/24 REMOTE_VTI_TUNNEL - 10.242.10.2
Remote Site Netgate
LAN - 10.1.10.0/24
Phase 1
Mutual PSK
| Local ID | WAN IP Address |
| Peer ID | WAN IP Address |
| Encryption | AES 256 |
| Hash | SHA 256 |
| DH | 14 |
| Lifetime | 86400 |
Phase 2
Mode: VTI
Local Address
10.242.10.2
Remote Address
10.242.10.1
IPSEC Interface assigned and enabled.
Remote subnet 172.19.19.0/24 static routed to automatically generated 10.242.10.1 gateway.
I have Firewall > Rules > IPSec > Any/Any inplace on both sides.
I can ping from the Firewall to the peer IP from both sides. And my IPSec is up.
On the near side, I trace route getting these results:
C:\Windows\System32>tracert 10.1.10.1
Tracing route to 10.1.10.1 over a maximum of 30 hops
1 3 ms <1 ms <1 ms 172.19.19.1
2 <1 ms <1 ms <1 ms c-xx-xx-xx-xx.unallocated.comcastbusiness.net [xx.xx.xx.xx]
3 * * * Request timed out.
4 xxxxxxxxxxxxx.xxxxxxx.il.chicago.comcast.net [xx.xx.xx.xx] reports: Destination net unreachable.
5 * * * Request timed out.
Remote side I at least get a time out indicating that I'm not pushing RFC 1918 out the WAN interface.
C:\Users\phoenix>tracert 172.19.19.1
Tracing route to 172.19.19.1 over a maximum of 30 hops
1 1 ms 1 ms 1 ms 10.1.10.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * ^C
On my remote firewall (Netgate) I am getting routes populated:
172.16.0.0/12 10.242.10.1 UGS 12 1400 ipsec2
But on my near firewall this is not the case, where 10.1.10.0/24 is missing all together.
After digging around, I discovered that the gateway was sent to far. Which I don't remember ticking, but unticking this and saving resolved the issue. Once the gateway was present, the route was up and traffic flowing.
Congratulations! So you've solved to issue by yourself. :-)