OPNsense Forum

English Forums => High availability => Topic started by: adn77 on July 18, 2022, 01:05:05 pm

Title: Problems with traffic selection for return traffic
Post by: adn77 on July 18, 2022, 01:05:05 pm

I have successfully setup a gateway group to for two remote VPN gateways.

• Local LAN: 192.168.20.0/24
• Remote network: 172.16.0.0/16
• IPSec transport networks: 10.10.253.0/24, 10.10.254.0/24

I am directing traffic to the remote network via an incoming firewall rule on our internal interfaces:

Code: [Select]

Allow IPv4 - any protocol - from: anywhere - dst: remote network - gateway: gateway group
I added two incoming rules to the IPSec interface:

Code: [Select]

Allow IPv4 - any protocol - from: remote network - dst: anywhere
Allow IPv4 - any protocol - from: IPSec transport network - dst: anywhere
I can ping the remote site fine - the problem is, the remote site can't ping anything in our local network.
On the remote firewall I can ping the gateway interfaces fine.

I performed a packet capture and I see the following:

Code: [Select]

enc0 10:28:15.045875 (authentic,confidential): SPI 0xc96d654d: IP 172.16.1.199 > 192.168.20.29: ICMP echo request, id 1, seq 8474, length 40
ix0_vlan20 10:28:15.045901 IP 172.16.1.199 > 192.168.20.29: ICMP echo request, id 1, seq 8474, length 40
ix0_vlan20 10:28:15.046003 IP 192.168.20.29 > 172.16.1.199: ICMP echo reply, id 1, seq 8474, length 40

It looks like the ICMP echo reply is lost on its way back to the gateway group. Is there something I am missing?