Testing IPsec Connectivity

The easiest test for an IPsec tunnel is a ping from one client station behind the firewall to another on the opposite side. If that works, the tunnel is up and working properly.

As mentioned in pfSense-initiated Traffic and IPsec, traffic initiated from the pfSense firewall will not normally traverse the tunnel without extra routing, but there is a quick way to test the connection from the firewall itself by specifying a source when issuing a ping.

There are two methods for performing this test: the GUI, and the shell.

Specifying a Ping Source in the GUI

In the GUI, a ping may be sent with a specific source as follows:

  • Navigate to Diagnostics > Ping
  • Enter an IP address on the remote router within the remote subnet listed for the tunnel in the Host field (e.g. 10.5.0.1)
  • Select the appropriate IP Protocol, likely IPv4
  • Select a Source Address which is an interface or IP address on the local firewall which is inside the local Phase 2 network (e.g. Select LAN for the LAN IP address)
  • Set an appropriate Count, such as the default 3
  • Click Ping

If the tunnel is working properly, ping replies will be received by the firewall from the LAN address at Site B. If replies are not received, move on to the IPsec Troubleshooting section.

If the tunnel was not established initially, it is common for a few pings to be lost during tunnel negotiation, so choosing a higher count or re-running the test is a good practice if the first attempt fails.

Specifying a Ping Source in the Shell

Using the shell on the console or via ssh, the ping command can be run manually and a source address may be specified with the -S parameter. Without using - S or a static route, the packets generated by ping will not attempt to traverse the tunnel. This is the syntax for a proper test:

#  ping -S <Local LAN IP> <Remote LAN IP>

Where the Local LAN IP is an IP address on an internal interface within in the local subnet definition for the tunnel, and the Remote LAN IP is an IP address on the remote router within the remote subnet listed for the tunnel. In most cases this is simply the LAN IP address of the respective pfSense firewalls. Given the site-to-site example above, this is what would be typed to test from the console of the Site A firewall:

#  ping -S 10.3.0.1 10.5.0.1

If the tunnel is working properly, ping replies will be received by the firewall from the LAN address at Site B. If replies are not received, move on to the IPsec Troubleshooting section.