Monit host check into IPSEC Network

[damian6973]

Hi,

I have configured 3 IPSEC Site2Site VPN an want to monitor in each Site some machines and equipment.
But configured with Monit's "host check" I always get an error:

status                       ICMP failed
  monitoring status            Monitored
  monitoring mode              active
  on reboot                    start
  ping response time           connection failed
  data collected               Sun, 22 Sep 2019 23:06:41

But ping from my network into the tunnels working without any problem and any endpoint is reachable.

Any Idea why it's not working?

best regards

Damian

[FlangeMonkey]

I haven't used IPSEC on opnsense before, but have on many enterprise devices, so this might not help.

This is normally a routing or subnet issue from the firewall itself, therefore not as you would normally traverse it.  I would suggest you SSH into opnsense and press 8 for shell.  I'd check if you can ping the host on the opposite side of the tunnel and take a look at the routing tables (netstat -rn).

[damian6973]

Hi FlangeMonkey,

curious, the Gateways for the Tunnels are on PPOE0, so the ping tries to go thru my outside IP, I normally using Cisco and Defendo's in Business and there is it completely different.

regards

Damian

I haven't used IPSEC on opnsense before, but have on many enterprise devices, so this might not help.

This is normally a routing or subnet issue from the firewall itself, therefore not as you would normally traverse it.  I would suggest you SSH into opnsense and press 8 for shell.  I'd check if you can ping the host on the opposite side of the tunnel and take a look at the routing tables (netstat -rn).

[mimugmail]

Local Ping is done from WAN interface so it doesn't match the SA

[damian6973]

Hi,

Is this normal behavior?

[mimugmail]

Yes, interface closest to the destination