IPSEC VTI + DNS Resolver Domain Override to a DNS Server inside remote server
-
Hi guys,
I'm working on setting up a IPSEC VTI Site to Site (local Dual Wan) tunnel to Oracle OCI (Remote Dual Tunnel per CPE).
Almost everything works fine from hosts (local) to hosts (remote) BUT there's no connectivity from the firewall itself to any remote host. This way I can't make the DNS Override to work as the pfSense's DNS Server can't connect to the DNS Server inside the remote IPSEC network.
If I issue a "nslookup x.example.com IP_from_DNS_SERVER_INSIDE_ISEC" from a host (local) to the DNS Server inside the IPSEC network it works perfectly. If I issue the same command from the pfsense itself, it doesn't work. Btw nothing works from the firewall itself to the remote IPSEC network (ping, ssh and so on). Using the Diagnostico -> Ping tool I can't ping the IPSEC host on any interface as a source (even LAN and localhost).
BTW I've been using the simpler method without VTI (Tunnel Method and static routes) and it used to work like a charm but I need some VTI functionalities.
Thanks !
Regards,
Marcus
-
It must be really hard to setup VTI on pfSense... no one knows. At leat it seems I am not that dumb :)
-
@marcuoli
It's harder than traditional IPSec, but not that hard. In my setup, the firewalls can ping hosts across the tunnel just fine. No responses in one day doesn't mean no one knows, it means you are expecting too much from community support on a forum. You need to add some additional details, such as your firewall rules, what routing protocol you are using, etc. You should be able to narrow the problem down by looking at the routing table on the firewall, checking the logs, etc. -
I have no issues with ipsec vti between two pfsense boxes. Your endpoint isn’t pfsense so I wouldn’t be able to help troubleshoot things on that end. But as the previous user said, some screenshots of your P1 and P2, whether you are using static routes or not, screenshot of firewall rules etc is all necessary to try to figure out what’s wrong.
-
Hi guys,
First of all, sorry for my own self reply and thank you for your responses... I'm just very frustated. I've been creating VPNs to Oracle for some years now (even with pfSense Tunnel and VTI with other softwares) but pfSense VTI has never been an option for some reasons. This time I wanted to give a try.
I have just undone everything and just given up pfSense. Firstly I went back to the usual Tunnel IPSEC that works as expected. No modifications are needed to make it work on Oracle's side so the problem might/may/must be related to pfSense. If you guys had some links to post here I'll read them all to try to find out what I've done wrong.
I followed this guide https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/routed-vti.html and another thousand recipes available on the net.
Not even the gateway monitoring works !!!! What on earth could be impeding the gateway monitor to work ??
I know many of you have this setup working but as far as I could find there are a lot of complaints like mine.
I must be having a bad week, even posting to this forum is really hard.... akismet keeps telling my post is a SPAM :\ lost good 60 minutes trying to post.... I was trying to ask about the gateway monitoring thing. I have just given up. As you've said, this is a community forum and I should really no wait so much of it although it has already helped me lots of time (thanks guys).
When I get my patience back I will try again.
Thanks you,
Marcus