[2.1] site2site vpn stops to work after Multi VPN server firmware upgrade
-
Isn't that your problem, shouldn't your static routes be pointing to your individual sites? 192.168.100.2 and the other site to maybe 192.168.100.3? Not sure what IP your other site is pulling from your main site. Did you downgrade? If you did then I would agree with you I would wait until a more convenient time.
192.168.100.2?
Perhaps you mean 192.168.100.102!
192.168.100.102 is IP of my 5th interface, routing some "private traffic"…
yes, I downgraded.
I'm following the following thread where a similar routing problem is described.
http://forum.pfsense.org/index.php/topic,66776.30.htmlI hope my thread can be a reference for OpnenVPN with 1 Server and 2+ clients site2site VPNs.
-
Sorry I meant 192.168.12.3 :).
Here is a simplified view of your network, please let me know if I have made a mistake here:
So I'm thinking when you make your static routes, when you want to get to the 10.106.100.0/24 network you need to send traffic to 192.168.12.2. Similarly when you want to send traffic to 10.116.100.0/24 you need to send traffic to 192.168.12.3. I'm thinking that you can just make a static route to accomplish this and no further configurations are need under OpenVPN. Like I stated before I have never done it this way before but seems like it should work. I'm very interested to see if this works, if it does seems like with a little tweaking you could make a fully mesh OpenVPN network as well. I prefer to do it where every site has a connection to every other site, that way if the main site goes down then the remote sites still have connection to each other. But that is getting beyond what you are looking to accomplish here. So what do you think? The only problem here is to insure that the remote sites maintain the same IP on there Ovpn interfaces which I guess could be done with a static IP. Just another question if you are only going to have three sites connected why not use 192.168.12.0/29 or even a /28 if you think you might expand in the future? Just seems like a waist to use /24 for point to point links or a small network like you are using.
-
Great job mikeisfly! :)
But there is an error: on site 2. It got the same virtual VPN IP of site 1: 192.168.12.2 (as you can see on my attachment)So I'm thinking when you make your static routes, when you want to get to the 10.106.100.0/24 network you need to send traffic to 192.168.12.2. Similarly when you want to send traffic to 10.116.100.0/24 you need to send traffic to 192.168.12.3. I'm thinking that you can just make a static route to accomplish this and no further configurations are need under OpenVPN.
I agree… but as I stated on my prev message, on RC1 routes are added automatically! (as you can see on figure routes_2.1-RC1.jpg), hence I do not understand why it shouldn't work On 2.1-RELEASE. Moreover as stated before, I remember the 2 routes on Diagnostic->routes panel on 2.1 RELEASE automatically
I do not need site1 to site2 link (hub&spoke). I use hub&spoke on RoadWarrior connection(mainsite): my roadWarrior VPN is configurend to allow RW cliients get access to mainsite LAN, site1 LAN and site2 LAN.
That by means of iroute/route OpenVPN commands. Those commands add routes on each site as needed, without any other custom static route or something like that. -
But there is an error: on site 2. It got the same virtual VPN IP of site 1: 192.168.12.2 (as you can see on my attachment)
That's interesting? Not sure how that is working when two sites have the same virtual IP. Doesn't seem like it should work. Maybe this is the issue with 2.1 Release. I will try to set something up in my lab and let you know the results. Like you said if we can figure out what's going on others can use this as resource for future issues.
-
But there is an error: on site 2. It got the same virtual VPN IP of site 1: 192.168.12.2 (as you can see on my attachment)
That's interesting? Not sure how that is working when two sites have the same virtual IP. Doesn't seem like it should work. Maybe this is the issue with 2.1 Release. I will try to set something up in my lab and let you know the results. Like you said if we can figure out what's going on others can use this as resource for future issues.
I don't know… It has worked flawlessly on 2.01, 2.02, 2.03, 2.1-RC0, 2.1-RC1.
Thank you for your interest.
I hope this can help other pfSense users.. -
[UPDATE]
This afternoon I set a test 2.1-RELEASE pfSense on my mainsite and….As I stated before no difference in routing... (I got some images but they are useless beeing identical to the 2.1-RC1).
Moreover:-
I can ping site1 from inside mainsite pfsensefw
-
I can ping site2 from inside mainsite pfsensefw
Indeed the problem seems to be on multiwan gw.
Disabling failover/loadbal on lan net both vpn start to work.
I found a similar problem here: http://forum.pfsense.org/index.php/topic,68494.0.html -
-
What do your firewall logs show? Where is this traffic getting blocked if at all?
What do the traceroute logs show?
-
Here It's the traceroute…
I did not look to the firewall logs... as I thought no block was on! Tomorrow I'll take a look...
-
This morning I have checked up the fw logs….
No block at all... -
I have no experience with doing a site to site over a MultiWAN setup but I would just make sure that you have 1194 opened up on both interfaces. I would also switch to UDP as TCP could be a source of your problems. Just thinking out loud could there be a problem traffic leaving one WAN interface and then coming back on Anohter? If you disable one of your WAN interfaces does this solve your issues. Is something that is even possible for you to do?
-
No way… at the moment I do not use the 2nd WAN in vpn conf (just internet conn). And the vpn is up and running (=> no fw problem) hence as I stated above disabling just the "multigw" allow vpn to "ping"…
Indeed there is something wrong on routing in 2.1-RELEASE when vpn is coupled with multigw.I don't know if there is something other we can do....
I hope in some admin/developer help...
Pleeeeeeeeeeese! :)Otherwise I (we?) have just to wait 2.1.1...
-
Summarizing I thought It can be only a bug: how is possible routing differently 2 nets with the same gw?
finally… I submit a bug on https://redmine.pfsense.org/issues/3309
I hope this help...
-
[SOLVED]
Fix will be available on 2.1.1