(SOLVED) Can't have access to Google's 172.217.0.0 addresses

torisevt

There is a cable modem connected to pfsense that is connected to LAN switch.
No another ISP, unless IPsec VPN between sites?

Gertjan

@torisevt said in Can't have access to Google's 172.217.0.0 addresses:

unless IPsec VPN between sites?

Ah !! Even more factors to check !!
You've got more such details ?

torisevt

@Gertjan
I don't know all the things the previous guy has established.

johnpoz

whats the network settings on the ipsec - are you sending that netblock over the ipsec?

torisevt

@johnpoz
Where can I find it?

johnpoz

in the vpn, ipsec section - what is setup on the phase 2? This will have tunnel networks and remote networks and local networks defined.

torisevt

@johnpoz
ipsec tunnels.png ipsec phase2.png

johnpoz

well there is your problem a 172/8 - that is not correct for damn sure ;)

torisevt

@johnpoz
We use 172.18.., 172.19.. on the other site

johnpoz

that is great - then that should reflect the actual cidr for the networks over there - not the whole 172.everything /8 mask.

rfc1918 space for the 172 would be 172.16/12

with that /8 your telling pfsense 172.217 is over there.

If you only have 172.18 and .19 over there then 172.18/15 would be the correct mask

torisevt

After restart, everything started to work.
Google, Gmail.

THEY WORK!!

Thanks for the help @johnpoz

johnpoz

Great! Are you just using the .18/15 over there or is bigger block?

torisevt

@johnpoz
I tried the .18/15 in the phase2 and it worked.
Could I just add subnets to additional phase 2 section?
We have 172.18.1 and 2 and 3 and 172.19.1 and 2.

kiokoman

with 172.18.0.0 /15 (Netmask 255.254.0.0 = 15) First IP is 172.18.0.1 and Last IP is 172.19.255.254 so you should have it already in phase 2. there should be no need to do any other mods

torisevt

@kiokoman
thanks