OSPF learned routes not passing packets for one VTI partner
-
Let me start by saying that I feel like I'm missing something that's probably obvious, but I can't seem to figure out what.
I have 4 sites with a spoke-and-wheel IPSEC VPN configuration. All locations are using pfSense 2.6.0. 3 of those sites are connected to each other with VTI tunnels and use FRR OSPF for dynamic routing, and those are working fine. Let's call those 3 sites B, C, and D. The 4th site, which we'll call A, would be considered the hub of the configuration. We currently have traditional IPSEC tunnels between A and 2 of the other sites, B and D. The traditional IPSEC tunnels are what we want to replace. Site A is already connected with a VTI tunnel to Site C, which is also working fine.
I am trying to turn on the VTI tunnel between site D and site A, and this is where the problem lies. The adjacency is established and the new routes are learned in IPSEC. The routes are distributed between the different FRR installs as well. The routes do make it into the routing table showing the VTI link between sites A and D. However, devices on the LAN for sites D and A cannot talk to each other. I can talk from sites A and D to both sites B and C, but not between A and D. I have closed all the states, restarted services, disconnected and reconnected the VTI tunnel between sites A and D, and still nothing. I have checked the firewall rules and don't see anything that would be blocking it. I can also ping from the pfSense router at both sites to the LAN at the other site. However, LAN devices at both sites still cannot access the other site.
Is there something obvious I should be checking? Since both site A and D have working VTI connections to at least 1 other site, I would think that firewall rules should be fine unless a rule applied to this specific scenario or machine, but I haven't found any match like that among the rules. I'm at a bit of a loss. Anyone have a suggestion?