site-to-site connected but can not ping after vpn in

svpnv

@viragomann Client log does not show problem adding any route. It added route to my s2s server lan 10.100.0.0/16, but nothing shows in the log about the client lan 10.199.0.0/16, which is set in the server as "Remote Network".

s2s server:
Tunnel Network: 192.168.171.0/30
Local network(s): 10.100.0.0/16
Remote network(s): 10.199.0.0/16

s2s client:
Tunnel Network: 192.168.171.0/30
Remote network(s): 10.100.0.0/16

viragomann

@svpnv said in site-to-site connected but can not ping after vpn in:

s2s client:
Tunnel Network: 192.168.171.0/30
Remote network(s): 10.100.0.0/16

I'm missing the access server tunnel network here.

svpnv

@viragomann Do you mean vpn access server tunnel network? That's 172.16.0.0/24

viragomann

@svpnv
Yes, that's what I already stated above. Two simple points for setting the routes correctly.
Since you didn't provide the details as requested, I didn't know the correct tunnel network range, so I was not able to specify it.

svpnv

@viragomann Thanks for helping. But I'm not sure what details you need. Can you make it clear? How to set the routes correctly?

viragomann

@svpnv
https://forum.netgate.com/topic/164448/site-to-site-connected-but-can-not-ping-after-vpn-in/4

Simply make these to points.
If that doesn't work provide the IPv4 routing tables from both pfSense and from the client device as well as the clients OpenVPN log, please.
Which vpn client are you using?

svpnv

@viragomann I'm using Tunnelblick. I've already had all those in the config. Here is the routing tables:

Server:
Screen Shot 2021-06-16 at 10.02.53 AM.png

Client:

Screen Shot 2021-06-16 at 10.06.08 AM.png

There is no problem to ping the remote and local networks from both server and client. The problem only exists when I try to ping the client network from my desktop. For your information, our whole infrastructure is on AWS. We're using pfSense Plus for AWS version 21.02.2

viragomann

@svpnv
These screens absolutely miss-matches the OpenVPN status you've posted above!
The status show 192.168.171.1/2 as the client and servers virtual IP. None of these exists in the routing tables.
So what??

Without knowing your true vpn configuration there is no way to give any help.

svpnv

@viragomann I changed the Tunnel network from 192.168.171.0/30 to 172.16.100.0/30 yesterday after I posted the config. That's why the mismatch. It's the true configuration

svpnv

Thanks to viragomann, the problem is solved. The problem is that the default gateway for devices in the client lan is not pfSense, we need to setup NAT mapping as a work around. Really appreciate the help @viragomann !