Home/Insights/Networking

Troubleshooting IPsec Connectivity Issues on pfSense with DrayTek

A pfSense-to-DrayTek IPsec triage guide for one-host reachability failures, focused on tunnel state, phase selectors, firewall rules, routing, NAT overlap, and packet-path evidence.

Primary domainNetwork Edge & AccessRelated domainsAD & Windows Protocols, Cloud

Quick Read

  • Symptom: A pfSense-to-DrayTek IPsec triage guide for one-host reachability failures, focused on tunnel state, phase selectors, firewall rules, routing, NAT overlap, and packet-path evidence.
  • Check first: Verify IPsec status on both pfSense and DrayTek.
  • Risk: Review before running

Symptoms

Unable to reach a specific host over an IPsec LAN-to-LAN VPN between pfSense and DrayTek.

Environment

pfSense router configured as an IPsec VPN endpoint and DrayTek router configured as the opposite endpoint.

Most Likely Causes

Potential misconfiguration in IPsec policies, firewall rules, or routing settings.

What to Check First

  1. Verify IPsec status on both pfSense and DrayTek.
  2. Check firewall rules on pfSense and DrayTek for allowed traffic.
  3. Confirm routing settings on both devices.

Insight Cluster

Parent question: How do we isolate edge and secure-access incidents by separating provider handoff, switching, VPN/auth, and policy enforcement before broad network changes?

  • This parent cluster is meant to stop network edge and secure-access pages from being treated as disconnected firewall, VPN, and switching incidents.
  • The supporting pages frame branch selection and good-vs-broken comparison before the reader drops into exact WAN, stack, VPN, or policy failures.

Fix Steps

  1. Check IPsec status on pfSense.

    Access the pfSense web interface and navigate to Status > IPsec.

  2. Check IPsec status on DrayTek.

    Log into the DrayTek interface and navigate to VPN and Remote Access > LAN to LAN.

  3. Review firewall rules on pfSense.

    Navigate to Firewall > Rules and check the rules for the IPsec interface.

  4. Review firewall rules on DrayTek.

    Check the firewall settings under Security > Firewall on the DrayTek device.

  5. Check routing settings on pfSense.

    Go to System > Routing and verify the routes for the VPN subnet.

  6. Check routing settings on DrayTek.

    Access the Routing settings under Advanced > Routing.

  7. Perform a ping test from pfSense to the specific host.

    Use Diagnostics > Ping in pfSense to ping the specific host.

    Example pattern only. Adjust for your environment before running.

    ping <specific_host_ip>
  8. Check system logs on pfSense.

    Navigate to Status > System Logs > IPsec to review logs for errors.

  9. Check system logs on DrayTek.

    Access the logs under System Maintenance > Log.

Validation

  • Confirm that the specific host is reachable via ping after adjustments.
  • Verify that traffic flows correctly through the IPsec tunnel.

Logs to Check

  • pfSense IPsec logs for connection attempts and errors.
  • DrayTek logs for IPsec negotiation and traffic logs.

Rollback and Escalation

  • Revert any firewall rule changes if connectivity is not restored.
  • Restore previous routing settings if new routes do not resolve the issue.

Escalate When

  • If the issue persists after checking all configurations and logs.
  • If there are persistent errors in the IPsec logs indicating a deeper issue.

Edge Cases

  • Check for overlapping subnets between the two sites.
  • Ensure that NAT settings are not interfering with IPsec traffic.

Notes from the Field

  • Always document changes made during troubleshooting for future reference.
  • Consider the possibility of intermittent connectivity issues that may require monitoring.