Can't get Site-to-Site (shared key) to work

phil.davis

Your network numbers look fine.
From cmb at http://forum.pfsense.org/index.php/topic,34858.msg181292.html#msg181292

The only time I've ever seen route errors is when you incorrectly have static routes defined that overlap with routes from OpenVPN.

and other googling indicates that the route it is trying to add to the network at the other end probably already appears in the routing table. Do you have any static routes defined? or other routing-related settings somewhere?

gridrun

Nope, no static routes. A default gateway on each end, that's about it.

marvosa

Post the server.conf from both sides.

gridrun

I got it to work by either a) configuring a static IP on the ovpns interface or b) adding the line 'ifconfig 192.168.225.1 192.168.225.2' to the server config options. Both at the same time does not work. The howto suggests that this shouldn't be needed.

marvosa

Yeah, something's not right.  If you post your configs… we can figure it out.

eases

Hi all,

i guess that i have maybe have the same problem…
We also have a site-to-site OpenVPN (pre-shared-keys) between two pfSense Boxes
and i followed the instructions on the pfsense site to the letter!

Everything looks prefectly fine... The routes are correct, the devices in the networks
have on both sites have there pfsense box as default gateway and the VPN does establish
direct when I hit the save button.

BUT:

• i can't ping from a device in network A to a device in network B.

• i can't ping from a device in network B to a device in network A.

• i can't ping from pfsenseGui in network A to a device in network B.

• i can't ping from pfsenseGui in network B to a device in network A.

• i can't ping from pfsenseGui in network A to the pfsense-box in network B.

• i can't ping from pfsenseGui in network B to the pfsense-box in network A.

However:

• i can do a traceroute from pfsenseGui in network A to a device in network B.

• i can do a traceroute from pfsenseGui in network B to a device in network A.

• i can do a traceroute (ICMP only) from pfsenseGui in network A to the pfsense-box in network B.

• i can do a traceroute (ICMP only) from pfsenseGui in network B to the pfsense-box in network A.

• i can't a traceroute from pfsenseGui in network A to a turned-off-device in network B.

• i can't a traceroute from pfsenseGui in network B to a turned-off-device in network A.

Any idea what I am missing in my config?

On both sites i have one rule in my OpenVPN tab: <empty>* * * * * * none <empty><desc>Thanks in advanced!</desc></empty></empty>

marvosa

eases,
Sorry, but I have to tell you the same thing I told gridrun…. post your configs.... without 'em... we're just guessing.

eases

Good morning Marvosa,

well… I was a little in a hurry to get pfSense working on a new location
because our Cisco ASA couldn't handle the traffic anymore. And a long time
ago we decided to replace our (Cisco) Routers with pfSense, but with the
idea of more time and planning :-)

I haven't found a solution for the problem I described, but a factory reset
and a new start did the trick. Now I started with the VPN Tunnels and when
this worked I started with all the other firewall rules.

Posting my config is something I try no to, but I get it it's the only way to
get some insight in the conflicting rule I probably made somewhere...

But thanks for the help offering!

@gridrun: Maybe a new start is also your solution?

marvosa

eases,
Glad it's working.  Don't be afraid to post your config (server.conf)… there's nothing unique to your site except for the public IP which everyone masks before they post.  Everything else is either standard in everyone's config or internal IP's that don't matter because they can't be routed over the internet.

gridrun

Two different ALIX boards with pfSense 2.0.2, similar problem.
This time its Peer-to-Peer (SSL/TLS) mode.

Local Net Server: 192.168.10.0/24
Remote Net Server: 192.168.20.0/24

Local Net Client: 192.168.20.0/24
Remote Net Client: 192.168.10.0/24

Tunnel Network (identical on client and server): 192.168.254.0/30

There are no additional openvpn config options given.
There are no client specific overrides.
There are no static routes defined.

The tunnel is up, both tunnel IPs can be pinged from both sides.
192.168.10.* can't ping 192.168.20.* and vice versa.
Client has log entry: "ERROR: FreeBSD route add command failed: external program exited with error status: 1" twice. Server doesn't have this error.
Client has log entry: "WARNING: using –pull/--client and --ifconfig together...". Server doesn't have this warning.
Both server and client have "WARNING: Ifconfig is present in local but missing in remote..."

gridrun

We backed up the config, then did a factory reset on those two machines. With nothing but LAN/WAN IPs and the VPN configured, everything works flawlessly as expected. Will see if we can find out the breaking difference by comparing the configs :-)