Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-to-site routing

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      drzed
      last edited by

      Hi there!

      I've got some troubles setting up my site-to site vpn based on PKI auth. The tunnel building stuff works fine so far but i'm having some routing (or firewalling troubles) on the pfsense box (i guess).

      On Box B (Linux; see attached picture) I can ping hosts of net A e.g. host a1. So far so good, but b1 can not ping A or a1.

      I traced the the packages a little bit and found out that they reach tun0 on A (pfsense box) but not vr1.

      Of course remote network is set to 192.168.0.0/24 and local network to 192.168.0.0/24 on A - the pfsense box.

      Any Ideas what/were the Problem would be in that case?

      Cheers,
      Sigmund

      wan.png
      wan.png_thumb

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG Offline
        GruensFroeschli
        last edited by

        Dont use a PKI for site-to-site.
        It makes everything unnecessarily more complicated.

        Search the forum for OpenVPN site-to-site since i described the steps needed multiple times.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • D Offline
          drzed
          last edited by

          Well as suggested I did a search for the sting 'site-to-site'.

          However i was not able to find any useful topics that contain a solution for my problem:
          http://forum.pfsense.org/index.php/topic,9933.0.html
          http://forum.pfsense.org/index.php/topic,7457.0.html
          http://forum.pfsense.org/index.php/topic,10048.0.html
          http://forum.pfsense.org/index.php/topic,7009.0.html
          May this was not the magical keyword to search for :(

          Also I read the howto on openvpn.org but again I did not find anything helpful - the site only contains a setup example for PKI a site-to-site conf.

          Additionally I changed from PKI to PSK which did not really help (read nothing); the only difference is that the routes do not get pushed any more to client lan (Server B) which is not really a problem for me as I can add the manually (on B) but this enables just the Server B to reach e.g. a1 and still not B's clients.

          As described in my fist posting I think that the problem is located on Server A - the pfsense box as the icmp echos reach tun0 but do not get forwarded/routed to vr1. According to the pfsnese log none of this packets got blocked, a route exists.

          Also e.g a1 can not ping b1 although there is a route to 192.168.2.0/24 -> 172.16.0.2 on A (the icmp packets never reach tun0 on A), but A itself can ping b1||B.

          The route on A to the B LAN:
          192.168.2          172.16.0.2        UGS        0    1572  tun1

          Additional information on B's config etc: http://phpfi.com/373176

          So in any case the packets hang on the pfsense box somewhere between vr1 and tun0.

          1 Reply Last reply Reply Quote 0
          • D Offline
            drzed
            last edited by

            Ok this was a tricky one:

            I was doing a migration from ipsec to openvpn (bc/ ipsec does not support site-to-site where B as has a dynamic IP) and i still had my ipsec config activated - so this somewhat confused pfsense.

            I disabled the tunnels in question on the ipsec page and my openvpn started working!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.