Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-to-site VPN, can only connect one direction to appliance

    Scheduled Pinned Locked Moved OpenVPN
    14 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      LamboJ @Rico
      last edited by

      @rico said in Site-to-site VPN, can only connect one direction to appliance:

      192.168.96.0/19 overlaps your tunnel network 192.168.121.0/24
      Why do you use /19 as Remote Networks and not your 192.168.33.0/24 and 192.168.97.0/24 to be more specific?
      BTW, you can upload pictures directly into the forum.

      -Rico

      Shouldn't the tunnel be part of the of the network to be routed? i.e. part of site B, given site B is acting as the server?

      I've used /19 so I can add more VLANs to each site without having to reconfigure anything.

      1 Reply Last reply Reply Quote 0
      • RicoR
        Rico LAYER 8 Rebel Alliance
        last edited by

        No, the tunnel network is used internally by OpenVPN between tunnel endpoints.
        Pick a network that it is not in use locally or at any remote site.

        -Rico

        L 1 Reply Last reply Reply Quote 1
        • PippinP
          Pippin
          last edited by

          Informational:
          https://community.openvpn.net/openvpn/wiki/AvoidRoutingConflicts

          I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
          Halton Arp

          1 Reply Last reply Reply Quote 1
          • L
            LamboJ @Rico
            last edited by

            @rico said in Site-to-site VPN, can only connect one direction to appliance:

            No, the tunnel network is used internally by OpenVPN between tunnel endpoints.
            Pick a network that it is not in use locally or at any remote site.

            -Rico

            I've changed the tunnel network to: 192.168.224.0/30 (on both appliances), but still seeing the same issue.

            1 Reply Last reply Reply Quote 0
            • RicoR
              Rico LAYER 8 Rebel Alliance
              last edited by

              Did you try to be more specific with the Remote networks?
              For the box with pfSense LAN IP 192.168.33.1/24 set the OpenVPN Remote network to 192.168.97.0/24
              For the box with pfSense LAN IP 192.168.97.1/24 set the OpenVPN Remote network to 192.168.33.0/24

              -Rico

              L 1 Reply Last reply Reply Quote 0
              • L
                LamboJ @Rico
                last edited by

                @rico said in Site-to-site VPN, can only connect one direction to appliance:

                Did you try to be more specific with the Remote networks?
                For the box with pfSense LAN IP 192.168.33.1/24 set the OpenVPN Remote network to 192.168.97.0/24
                For the box with pfSense LAN IP 192.168.97.1/24 set the OpenVPN Remote network to 192.168.33.0/24

                -Rico

                Just tried that as well, unfortunately no luck.

                1 Reply Last reply Reply Quote 0
                • RicoR
                  Rico LAYER 8 Rebel Alliance
                  last edited by Rico

                  Could there be something else overlapping, like an IPsec tunnel?
                  What exactly is not working? You can't ping 192.168.97.1 from that 192.168.33.1 pfSense Box?

                  -Rico

                  L 1 Reply Last reply Reply Quote 0
                  • L
                    LamboJ @Rico
                    last edited by LamboJ

                    @rico said in Site-to-site VPN, can only connect one direction to appliance:

                    Could there be something else overlapping, like an IPsec tunnel?
                    What exactly is not working? You can't ping 192.168.97.1 from that 192.168.33.1 pfSense Box?

                    -Rico

                    Correct, the issue is that I can't ping 192.168.97.1 from anywhere in Site A. So I can' t ping 192.168.97.1 from 192.168.33.1 or from any other hosts like 192.168.33.2, etc.

                    Site A doesn't have any ipsec tunnels. Site B (192.168.97.0/24) has an IPSec tunnel to Site C which is an Azure gateway (not pfsense). Here's the configuration:
                    5abc9d76-a0ab-4445-a0ff-d683c35cba33-image.png

                    1 Reply Last reply Reply Quote 0
                    • RicoR
                      Rico LAYER 8 Rebel Alliance
                      last edited by

                      Your IPSec Local Network overlaps 192.168.97.0/24 and 192.168.33.0/24
                      I'm not really into IPsec, but pretty sure it could grab that OpenVPN traffic.
                      TBH, I lose track a bit about your whole setup, it is not easy to follow which site is which Configuration, Rules or even local/remote networks.
                      It could help to sketch up your network layout.

                      -Rico

                      L 1 Reply Last reply Reply Quote 0
                      • L
                        LamboJ @Rico
                        last edited by

                        @rico said in Site-to-site VPN, can only connect one direction to appliance:

                        Your IPSec Local Network overlaps 192.168.97.0/24 and 192.168.33.0/24
                        I'm not really into IPsec, but pretty sure it could grab that OpenVPN traffic.
                        TBH, I lose track a bit about your whole setup, it is not easy to follow which site is which Configuration, Rules or even local/remote networks.
                        It could help to sketch up your network layout.

                        -Rico

                        Thanks for all your help, but it actually looks like everything was correct in terms of settings, I just needed to reboot the appliance and it worked. I didn't realize rebooting would help here

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.