Testing IPsec Connectivity

The easiest test for an IPsec tunnel is a ping from one client station behind the firewall to another on the opposite side. If that works, the tunnel is up and working properly.

As mentioned in Accessing Firewall Services over IPsec traffic initiated from pfSense® software will not normally traverse a tunnel without extra routing. That said, there is a quick way to test the connection from the firewall itself by manunally specifying a source address when issuing a ping.

There are two methods for performing this test: the GUI, and the shell.

Specifying a Ping Source in the GUI

In the GUI, a ping may be sent with a specific source as follows:

  • Navigate to Diagnostics > Ping

  • Fill in the settings as follows:

    Host

    Enter an IP address which is on the remote router within the remote subnet listed for the tunnel phase 2 (e.g. 10.5.0.1)

    IP Protocol

    The address family of the host being used (e.g. IPv4 for 10.5.0.1)

    Source Address

    Select an interface or IP address on the local firewall which is inside the local Phase 2 network (e.g. Select LAN for the LAN IP address)

    Maximum number of pings

    Set an appropriate value which will be high enough to be meaningful yet low enough that it doesn’t take too long to run. The default value of 3 ideal.

  • Click Ping

If the tunnel is working properly ping replies will be received by the firewall from the LAN address at Site B. If replies are not received, move on to the Troubleshooting IPsec VPNs section.

Note

Typically the first ping or two may be lost during tunnel negotiation, so the best practice is to use at least 3.

If the first attempt did not produce any results, try again. If it still fails, try once more with a slightly higher Maximum number of pings value.

Specifying a Ping Source in the Shell

Using the shell on the console or via ssh, the ping command can be run manually and a source address may be specified with the -S parameter. Packets generated by ping will not attempt to traverse the tunnel without using -S or a static route.

The syntax for a proper test is:

#  ping -S <Local LAN IP Address> <Remote LAN IP Address>

Where the Local LAN IP Address is an IP address on an internal interface within in the local subnet definition for the tunnel, and the Remote LAN IP Address is an IP address on the remote router within the remote subnet listed for the tunnel.

In most cases this is the LAN IP address of the respective firewalls. For example, if the LAN IP address at site A is 10.3.0.1 and the LAN IP address at site B is 10.5.0.1, then the following command would send a test ping from site A to site B:

#  ping -S 10.3.0.1 10.5.0.1

If the tunnel is working properly, ping replies will be received by the firewall from the LAN address at Site B. If replies are not received, move on to the Troubleshooting IPsec VPNs section.