Testing IPsec Connectivity¶
The easiest test for an IPsec tunnel is a ping from one client station behind the firewall to another on the opposite side. If that works, the tunnel is up and working properly.
As mentioned in Accessing Firewall Services over IPsec traffic initiated from pfSense® software will not normally traverse a tunnel without extra routing. That said, there is a quick way to test the connection from the firewall itself by manunally specifying a source address when issuing a ping.
There are two methods for performing this test: the GUI, and the shell.
Specifying a Ping Source in the GUI¶
In the GUI, a ping may be sent with a specific source as follows:
Navigate to Diagnostics > Ping
Fill in the settings as follows:
Enter an IP address which is on the remote router within the remote subnet listed for the tunnel phase 2 (e.g.
- IP Protocol
The address family of the host being used (e.g. IPv4 for
- Source Address
Select an interface or IP address on the local firewall which is inside the local Phase 2 network (e.g. Select LAN for the LAN IP address)
- Maximum number of pings
Set an appropriate value which will be high enough to be meaningful yet low enough that it doesn’t take too long to run. The default value of
If the tunnel is working properly ping replies will be received by the firewall from the LAN address at Site B. If replies are not received, move on to the Troubleshooting IPsec VPNs section.
Typically the first ping or two may be lost during tunnel negotiation, so the
best practice is to use at least
If the first attempt did not produce any results, try again. If it still fails, try once more with a slightly higher Maximum number of pings value.
Specifying a Ping Source in the Shell¶
Using the shell on the console or via ssh, the ping command can be run manually
and a source address may be specified with the
-S parameter. Packets
ping will not attempt to traverse the tunnel without using
-S or a static route.
The syntax for a proper test is:
# ping -S <Local LAN IP Address> <Remote LAN IP Address>
Where the Local LAN IP Address is an IP address on an internal interface within in the local subnet definition for the tunnel, and the Remote LAN IP Address is an IP address on the remote router within the remote subnet listed for the tunnel.
In most cases this is the LAN IP address of the respective firewalls. For
example, if the LAN IP address at site A is
10.3.0.1 and the LAN IP address
at site B is
10.5.0.1, then the following command would send a test ping
from site A to site B:
# ping -S 10.3.0.1 10.5.0.1
If the tunnel is working properly, ping replies will be received by the firewall from the LAN address at Site B. If replies are not received, move on to the Troubleshooting IPsec VPNs section.