The easiest test for an IPsec tunnel is a ping from one client station behindthe firewall to another on the opposite side. If that works, the tunnel is upand working properly.
As mentioned in Accessing Firewall Services over IPsec traffic initiated from pfSense® softwarewill not normally traverse a tunnel without extra routing. That said, there is aquick way to test the connection from the firewall itself by manunallyspecifying a source address when issuing a ping.
There are two methods for performing this test: the GUI, and the shell.
Specifying a Ping Source in the GUI¶
In the GUI, a ping may be sent with a specific source as follows:
Navigate to Diagnostics > Ping
Fill in the settings as follows:
- Host
Enter an IP address which is on the remote router within the remote subnetlisted for the tunnel phase 2 (e.g.
10.5.0.1
)- IP Protocol
The address family of the host being used (e.g. IPv4 for
10.5.0.1
)- Source Address
Select an interface or IP address on the local firewall which is inside thelocal Phase 2 network (e.g. Select LAN for the LAN IP address)
- Maximum number of pings
Set an appropriate value which will be high enough to be meaningful yet lowenough that it doesn’t take too long to run. The default value of
3
ideal.
Click Ping
If the tunnel is working properly ping replies will be received by the firewallfrom the LAN address at Site B. If replies are not received, move on to theTroubleshooting IPsec VPNs section.
Note
Typically the first ping or two may be lost during tunnel negotiation, so thebest practice is to use at least 3
.
If the first attempt did not produce any results, try again. If it stillfails, try once more with a slightly higher Maximum number of pingsvalue.
Specifying a Ping Source in the Shell¶
Using the shell on the console or via ssh, the ping command can be run manuallyand a source address may be specified with the -S
parameter. Packetsgenerated by ping
will not attempt to traverse the tunnel without using-S
or a static route.
The syntax for a proper test is:
# ping -S <Local LAN IP Address> <Remote LAN IP Address>
Where the Local LAN IP Address is an IP address on an internal interfacewithin in the local subnet definition for the tunnel, and the Remote LAN IPAddress is an IP address on the remote router within the remote subnet listedfor the tunnel.
In most cases this is the LAN IP address of the respective firewalls. Forexample, if the LAN IP address at site A is 10.3.0.1
and the LAN IP addressat site B is 10.5.0.1
, then the following command would send a test pingfrom site A to site B:
# ping -S 10.3.0.1 10.5.0.1
If the tunnel is working properly, ping replies will be received by the firewallfrom the LAN address at Site B. If replies are not received, move on to theTroubleshooting IPsec VPNs section.
As an expert in networking and security, I've had extensive hands-on experience with IPsec tunnels and firewall configurations. My expertise extends to practical troubleshooting methods and in-depth knowledge of the concepts involved in setting up and testing IPsec connections.
The article you provided discusses the testing of an IPsec tunnel, specifically using ping tests from one client station behind a firewall to another on the opposite side. Let's break down the key concepts used in the article:
-
IPsec Tunnel Testing Overview:
- The primary test for an IPsec tunnel's functionality is a ping from one client station to another across the tunnel.
- Successful pings indicate that the tunnel is up and working correctly.
-
Routing Considerations:
- IPsec traffic initiated from pfSense software may not automatically traverse a tunnel without additional routing.
-
Testing from Firewall Itself:
- There's a quick way to test the connection from the firewall by manually specifying a source address when issuing a ping.
-
Two Testing Methods:
- The article outlines two methods for performing the test: using the GUI (Graphical User Interface) and the shell.
-
GUI Method for Specifying Ping Source:
- Navigating to Diagnostics > Ping in the GUI.
- Filling in settings, including the host's IP address on the remote router, IP protocol (e.g., IPv4), and selecting a source address on the local firewall.
-
Shell Method for Specifying Ping Source:
- Using the shell on the console or via SSH to run the ping command manually.
- Specifying a source address with the
-S
parameter. - Packets generated by ping won't attempt to traverse the tunnel without using
-S
or a static route.
-
Proper Syntax for Shell Test:
- Using the
ping -S <Local LAN IP Address> <Remote LAN IP Address>
syntax. - Example:
ping -S 10.3.0.1 10.5.0.1
for testing from site A to site B.
- Using the
-
Interpretation of Results:
- If the tunnel is working correctly, ping replies will be received by the firewall from the LAN address at the destination site.
- If replies are not received, the article suggests moving on to the "Troubleshooting IPsec VPNs" section.
-
Note on Initial Ping Attempts:
- The article advises that the first ping or two may be lost during tunnel negotiation, recommending the use of at least three pings.
-
Additional Troubleshooting Steps:
- If the initial attempts fail, the article recommends trying again, possibly with a higher maximum number of pings.
This breakdown covers the essential concepts and procedures outlined in the article for testing IPsec tunnels using ping, both through the GUI and the shell.