https://live.paloaltonetworks.com/t5/general-topics/ipsec-site-to-site-between-pa-200-and-pfsense-one-direction/m-p/136384#M47630 <P>Hi,</P><P>&nbsp;</P><P>Looks like palo works fine. Did you check pfsense logs, security policy and NAT rules (if any)?</P><P>&nbsp;</P><P>Thx,</P><P>Myky</P> Sun, 08 Jan 2017 10:10:02 GMT TranceforLife 2017-01-08T10:10:02Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-site-to-site-between-pa-200-and-pfsense-one-direction/m-p/136365#M47628 <P>Hi All!!</P><P>&nbsp;</P><P>I setup a IPSec site-to-site VPN between PA-200 and PfSense using this how to: <A href="https://blog.kingj.net/2014/08/24/how-to/setting-up-a-policy-based-ipsec-vpn-between-a-palo-alto-pa-200-and-pfsense/" target="_blank">https://blog.kingj.net/2014/08/24/how-to/setting-up-a-policy-based-ipsec-vpn-between-a-palo-alto-pa-200-and-pfsense/</A></P><P>&nbsp;</P><P>P1 and P2 is ok and I can access network from PA-200 to PfSense but from network PfSense side to PAN network side I can’t access.</P><P>&nbsp;</P><P>Anyone have any idea?</P><P>&nbsp;</P><P>Thanks a lot!!</P><P>&nbsp;</P><P>Rodrigo</P> Sat, 07 Jan 2017 22:30:55 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-site-to-site-between-pa-200-and-pfsense-one-direction/m-p/136365#M47628 rodrigo.pires 2017-01-07T22:30:55Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-site-to-site-between-pa-200-and-pfsense-one-direction/m-p/136384#M47630 <P>Hi,</P><P>&nbsp;</P><P>Looks like palo works fine. Did you check pfsense logs, security policy and NAT rules (if any)?</P><P>&nbsp;</P><P>Thx,</P><P>Myky</P> Sun, 08 Jan 2017 10:10:02 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-site-to-site-between-pa-200-and-pfsense-one-direction/m-p/136384#M47630 TranceforLife 2017-01-08T10:10:02Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-site-to-site-between-pa-200-and-pfsense-one-direction/m-p/138835#M48036 <P>Thank you for your quickly response.<BR /><BR />Sorry for delay, but I was sick in last weeks.<BR /><BR />Yes, I checked and I can't see any error.<BR /><BR />Before we put Palo Alto, we had 2 PfSense working very well, after when we changed 1 PfSense by Palo Alto the IPsec don't work anymore.</P><P>&nbsp;</P><P>Best regards</P> Mon, 23 Jan 2017 12:47:37 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-site-to-site-between-pa-200-and-pfsense-one-direction/m-p/138835#M48036 rodrigo.pires 2017-01-23T12:47:37Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-site-to-site-between-pa-200-and-pfsense-one-direction/m-p/138836#M48037 <P>Hi,</P><P>&nbsp;</P><P>How do you have your security policy set up?</P> Mon, 23 Jan 2017 12:53:48 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-site-to-site-between-pa-200-and-pfsense-one-direction/m-p/138836#M48037 TranceforLife 2017-01-23T12:53:48Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-site-to-site-between-pa-200-and-pfsense-one-direction/m-p/138878#M48042 <P>To add to this without displaying any logs or security policies beforehand nobody is going to be able to point you in the right direction. It sounds like the Palo Alto is likely setup perfectly fine but you could be missing a rule on the PA-200 to allow PFSense back into the PA-200 network, or the PFSense could be stopping the traffic before it ever gets to the PA-200.&nbsp;</P><P>&nbsp;</P><P>Check over the security policies, double check your route entries on both sides and possibly post screenshots for both. If the tunnel is up perfectly fine then it really sounds like a routing or security rulebase issue.&nbsp;</P> Mon, 23 Jan 2017 15:49:30 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-site-to-site-between-pa-200-and-pfsense-one-direction/m-p/138878#M48042 BPry 2017-01-23T15:49:30Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-site-to-site-between-pa-200-and-pfsense-one-direction/m-p/138897#M48044 <P>I just did it.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SecPol.PNG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/7325i956CC3EB68BA23CD/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="SecPol.PNG" alt="SecPol.PNG" /></span></P> Mon, 23 Jan 2017 16:57:13 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-site-to-site-between-pa-200-and-pfsense-one-direction/m-p/138897#M48044 rodrigo.pires 2017-01-23T16:57:13Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-site-to-site-between-pa-200-and-pfsense-one-direction/m-p/138902#M48045 <P>Hi,</P><P>&nbsp;</P><P>Where is your external VPN IP addresss assiged. Into which zone? How is&nbsp;the traffic&nbsp;flowing from &nbsp;PFSense &gt; Palo?</P><P>&nbsp;</P><P>Thx,</P><P>Myky</P> Mon, 23 Jan 2017 17:17:37 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-site-to-site-between-pa-200-and-pfsense-one-direction/m-p/138902#M48045 TranceforLife 2017-01-23T17:17:37Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-site-to-site-between-pa-200-and-pfsense-one-direction/m-p/138919#M48046 <P>One thing I would highly recommend is the following.</P><P>1) Temporarly override the interzone-default policy and enable log at session start and log at session end. Verify in the logs that you even have a rule allowing the traffic to come back.</P><P>2) Once you have the tunnel up what IP address are you assigning these users; they will need a rule to allow them to the specified zones that they need access to.&nbsp;</P><P>Once you have enabled the additional logging you should be able to tell if the traffic is at least being forwared from your PFSense correctly and if it's actually hitting the PA-200. If you aren't seeing the traffic then you need to look at the routing on the PFSense and make sure it's correct, along with any security policy that needs to be in place to allow the traffic. If it's hitting the PA-200 but it's being denied then you need to create a rule to actually allow the traffic to come back in.&nbsp;</P><P>&nbsp;</P><P>The information that you are feeding kinda needs to be more detailed. Currently with the screenshot that you provided I'm unsure which rule(s) you believe are associated with your tunnel. Generally you would segregate your IPSec tunnels into a different security zone besides 'untrust' or 'trust' and we could at least identify them like that, since you are not doing that we can't tell what zone the IPSec traffic should really be identified under. &nbsp;I'm also completely unaware of how your route table looks, what the config on the other end looks, or anything of the like. I'm not trying to put you off or come off like an ass, but you need to provide a little bit more information if you want help. Enabling the additional logging will give you a fair hint on where the issue actually is and we can go from there.&nbsp;</P> Mon, 23 Jan 2017 18:12:20 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-site-to-site-between-pa-200-and-pfsense-one-direction/m-p/138919#M48046 BPry 2017-01-23T18:12:20Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-site-to-site-between-pa-200-and-pfsense-one-direction/m-p/138968#M48047 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;nice long email. Anyway as more info we got the easier and quicker we can help/advice. Same info needed on what you have already done.&nbsp;</P> Mon, 23 Jan 2017 20:33:58 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-site-to-site-between-pa-200-and-pfsense-one-direction/m-p/138968#M48047 TranceforLife 2017-01-23T20:33:58Z