Routing between 1 IPSEC vpn and another
-
I understand from the changelog that multiple stage2s are supported for a single stage1 now.
I have a site to site vpn up between 192.168.3.0/24 and 192.168.9.0/24.
I have a roadwarrior vpn working with clients having 192.168.4.0/24 addresses.
I want to route between 192.168.4.0/24 clients and the 192.168.9.0/24 network.
when pinging 192.168.9.2 from a 192.168.4.213 i can see the packets with tcpdump -i enc0 host 192.168.4.213 .10:37:37.076219 (authentic,confidential): SPI 0x05878eb3: IP 192.168.4.213 > 192.168.9.2: ICMP echo request, id 4894, seq 6, length 64
but i never see any replies.
192.168.9.2 can ping 192.168.3.2 and vice versa, but the firewall cannot ping the any remote networks directly. Is this expected to work? -
Does your 192.168.9.0/24 network know about how to reach 192.168.4.0/24 ? Do you have a p2 for that?
By default the firewall itself can't directly access any ipsec remote network, but routing does work from the lan side.
-
mxx:
thanks for your reply…
yes i have 2 p2s on the 192.168.9.0 firewall (also pfsense 2.0rc1)
one for 192.168.3.0/24 and one for 192.168.4.0/24however, the 4.0/24 is listed with a yellow check box in the ipsec status page, while the first (3.0/24) is green.
I don't understand how one can fail and the other succeed. -
Hi since noone else with more knowledge replied:
Sorry for the dumb question but do both endpoints have this second p2?
Is the Roadwarrior VPN also ipsec?
If yes and it doesn't work, try adding a gateway (pfsense's lan ip) and add routes for those ipsec networks through the lan ip. That way it should be possible for the firewall to reach the other endpoint directly…