Routing issue mobile clients cant reach remote site
-
Hi everyone have a bit of an issue that I cant figure out.
My set up is as follows:
(Remote office)(Client)==/30tun==>openvpn tun. pre shared key==>(Main office)(server) This works fine both sites are working fine and there is no problem.
Now I have added mobile clients
(Remote office)(Client)==/30tun==>openvpn tun. pre shared key==>(Main office)(server for clients and satellite office)<==openvpn tun for mobile clients (all traffic is routed to through the main office)
The issue I got is mobile clients are able to see the main office network but not remote network.
Any input is appreciated.
-
Assuming you have firewall rules allowing the traffic on both ends, two things needs to happen:
-
You need to push a route for the remote office LAN to your mobile clients
-
You need a return route for your mobile client's tunnel network on the remote end
-
-
-
I have tried push routes for the two sites to the mobile clients, but I dont think its needed as I have all traffic from mobile clients going through our main office. Do I still need push routes?
-
OK found this very useful blog post about the issues I was having and the reason for the error I have had. Here is the link:
http://blog.stefcho.eu/?p=733
Good read for anyone with multisite VPN. I still think OSPF would have been a better option as manual set up ok for smaller network but once you reach a certain size becomes full time occupation to mange.
-
Appears to be a more detailed explanation on what I posted previously. Although, correct me if I'm wrong, but I'll assume he meant to add 10.0.7.0/24 to PFsense02 and not 10.123.45.0/24 as it does not appear in his network diagram.
-
No everything is correct in the blog, you need to add the network so the traffic can return
-
you need to add the network so the traffic can return
Absolutely, you need a return route for the road warrior tunnel network on PFsense02, so the return traffic gets routed down the tunnel….but if you notice, the road warrior tunnel network is 10.0.7.0/24 not 10.123.45.0/24.
I'm guessing he was working on multiple documents and posted the wrong subnet by mistake because 10.123.45.0/24 is no where in his diagram.
Someone please point it out if it's right in front of my face and I'm missing it, but going strictly off the diagram... I don't see any reason for routing 10.123.45.0/24 down the tunnel.
