2.0 Site to site, routing issue?
-
Ah sorry i didn't read right.
You have a SSL/TLS site-to-site and not a PSK.Could you show a screenshot of the rules you created?
-
Sure,
This is from the client. Server looks the same but with 1194 UDP on WAN as well.
-
Check your setup against this:
http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29
-
Thanks jimp,
I've been going through that guide around 150 times by now and I believe I have configured it exactly the same. Feels like there is no routing between LAN and OpenVPN interfaces..?
-
Using multi-wan or other policy routing by chance?
If so, the traffic is probably hitting a rule with a gateway and getting shoved out a WAN instead of following the firewall's routing table.
Add a rule at the top of the list with a destination of the VPN network(s) that has no gateway set.
EDIT: I didn't see your attachment there earlier, so I see you aren't. Though checking the system's routing table on both sites is a good idea.
-
Thanks,
I think the routing tables looks fine. The attached is from the client, and the server looks the same (but reverse of course :) )
-
Could this be related to iroutes?
-
If you don't have iroutes setup (or setup properly) then yes it can be related to iroutes.
-
i do have an iroute on the server with just the CN of the client and the following line:
iroute 192.168.10.0 255.255.255.0;
-
You might be hitting this:
http://redmine.pfsense.org/issues/1417
Try adding this to your custom options:
client-config-dir /var/etc/openvpn-csc;
-
Yes, that was probably it. Thanks!
I think I have some other problems with my configuration but it looks much better now!
Thanks a lot for your help.
-
Packet captures tells me everything works fine on the server side, but remote side doesn't route between openvpn and lan interface if source is from behind serverโฆ
Do I need iroutes on the client side as well?
-
No, iroutes only go on the server side. Clients just have route statements. Servers need both route and iroute. Check the doc wiki, search for iroute, there is a troubleshooting doc.
-
Thats what i thought.
Checked the docs and I have it set up exacly like described. Acts just like the iroute problem on the server though.
I had to set mode server; could that cause these types of problems?
-
I think I've got this sorted for sure, it works for me in a Peer-to-Peer (SSL/TLS) setup with iroutes between two VM networks.
https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/0cc5ab42269a5aa1588ac2f862b0201917569ada
Either try that change or wait for the next new snapshot and then try it again.
-
Had to wait a while to be able to upgrade the remote side, but I am happy to say that it is working just fine after updating to the latest snapshot on both sides.
Thanks for your help jimp!