@kejianshi: Try using a full mesh VPN like TINC at all 3 points and then everything with happily talk to everything else. IPSec also works. In small networks it isn't complicated to setup. With 3 sites, 3 tunnels give full mesh connectivity and no routing issues.

I think this is the setting you're looking for: Navigate to "System: Advanced: Miscellaneous" Then go to "Gateway Monitoring" and check "Skip rules when gateway is down"

So I think this is related to the ASA I'm using. I'm connected at another location and I'm not experiencing any packet loss.

I have the same issue. Sanjay in your exampe, which VPN Address pool you added in the Phase 2 entry? Thanks

Ok i got it. I had to delete all rules and NAT translation related to wan address and 443. Than i reconfigured OpenVPN Server and now everything is fine.  ;)

I think the group member attribute is what is causing most peoples issues with ad/ldap. Glad you got it working. :)

We had exactly the same situation. With an tun OpenVPN network I have not been able to get it working either. So I created another OpenVPN connection, this time based on a tap-device (see other posts for that). After pushing a route for the client-network in the OpenVPN default setting I now can access files through home–>OpenVPN-->Office-->IPSec-->Customer site.

In this case you can check your firewall logs to see if there is traffic blocked.If it is, just simply create a new rule. System logs can be very helpful.

@costasppc: Hello, Based on this thread: https://forum.pfsense.org/index.php?topic=60201.msg323949#msg323949 in the 2.1.5 in the OpenVPN there is the ability to have gateway groups in the OpenVPN server. Can this be used for having Site to Site WAN failover? Solutions were given at this thread, but is there something new with the latest edition? Best regards Kostas should be mostly the same. 2.1 –> 2.1.5 are mostly bug/security fixes, with little major change to how to use it

It sounds like traffic is getting blocked by the default deny rule which means it is not matching any of your pass rules. Without more detail it's tough to say exactly what rules to add, but try making sure your OpenVPN tab rule is passing traffic in for any protocol and with a destination of 'any'. If that doesn't help, you'll have to post screenshots of the firewall log entries and your firewall rules.

You'd burn more CPU, be forced to deal with a much lower MTU, and genereally have more overhead, but there isn't any technical reason why that wouldn't work if the traffic is allowed across the 'outer' tunnel. Definitely need to use UDP tunnels, I can't imagine the nightmare you'd have from TCP retransmissions and compounded loss using nested TCP VPN tunnels… shudder

In that case you need to set up the adapter to bridge (TAP) instead of route (TUN). Hint: it starts by changing "Device Mode" under your OpenVPN server settings. https://community.openvpn.net/openvpn/wiki/BridgingAndRouting http://en.wikipedia.org/wiki/TUN/TAP happy reading  ;)

I'm not exactly an expert on this but when should't you use NAT: Outbound instead of NAT: 1:1

Have going through the VPN the default and make specific firewall rules that route your traffic elsewhere before the rule that gives you internet.  The computers you want to bypass the VPN should be on static DHCP leases so you can specifiy them in the rule.  Tell me if this response is not detailed enough.

Thanks anyway!