Open VPN clients unable to connect to IPSec site-to-site resources
-
@kwriley87 said in Open VPN clients unable to connect to IPSec site-to-site resources:
From Site A:
Mode: Tunnel
Local Subnet: 192.168.200.0/24 (OVPN Subnet)
Remote Subnet: 192.168.5.0/24 (Site B)
From Site B:
Mode: Tunnel
Local Subnet: 192.168.200.0/24 (OVPN Subnet)
Remote Subnet: 192.168.1.0/23 (Site A)Site B seems not to be correct.
Use the same networks as on A and simply exchange local and remote. -
@viragomann said in Open VPN clients unable to connect to IPSec site-to-site resources:
From Site B:
Mode: Tunnel
Local Subnet: 192.168.200.0/24 (OVPN Subnet)
Remote Subnet: 192.168.1.0/23 (Site A)So Site B should be configured as?
From Site B:
Mode: Tunnel
Local Subnet: 192.168.1.0/23 (Site A)
Remote Subnet: 192.168.200.0/24 (OVPN Subnet) -
@kwriley87
No, the P2 have to use the same networks on both sites, but exchange local and remote.Local: 192.168.5.0/24 (site B)
remote: 192.168.200.0/24 (OVPN Subnet) -
@viragomann Thank you. I've modified our additional phase 2 settings on both Site A and Site B:
From Site A:
Mode: Tunnel
Local Subnet: 192.168.200.0/24 (OVPN Subnet)
Remote Subnet: 192.168.5.0/24 (Site B)From Site B:
Mode: Tunnel
Local Subnet: 192.168.5.0/24 (site B)
Remote Subnet: 192.168.200.0/24 (OVPN Subnet)However, we are still unable to ping Site B from an OVPN client.
Performing a traceroute from an OVPN client to 192.168.5.1 (Site B PFSense) shows the following:
C:\Users\Administrator>tracert 192.168.5.1
Tracing route to 192.168.5.1 over a maximum of 30 hops
1 58 ms 60 ms 55 ms 192.168.200.1
2 * * * Request timed out.
3 * * * Request timed out.Is there anything else you can think of that I need to be checking for?
Thank you for your help.
-
@kwriley87
Should work from the point of routing.
Ensure that you have firewall rules in place on all involved interfaces which allow the access.
Also ensure that the destination device allow the access. -
@viragomann Which firewall rules, specifically do I need? Apologies if this is something basic I'm not understanding.
-
@kwriley87
Yeah, firewalling seems basic, as you're running already different VPN instances on pfSense.On the the OpenVPN tab you at A and on the IPSec tab at B you need proper rules to allow access from the VPN tunnel network.
-
The OpenVPN tab on Site A looks to already have the rules in place to allow all traffic, unless I'm missing something:
https://pasteboard.co/KfgHjhE.pngAnd from Site B, the IPSec tab:
https://pasteboard.co/KfgHCUJ.png -
@kwriley87
Should actually work with these settigs.
Ensure that the destination device does not block the access.To troubleshoot sniff the packets on the involved interfaces while you ping from an OpenVPN client. If the firewalls are well configured, you should see them on A's OpenVPN and IPSec interface and on B's IPSec and LAN.
-
I'm testing by pinging Site B firewall from OVPN client.
I see the ICMP traffic on A's OVPN interface:
12:41:08.215283 IP 192.168.200.2 > 192.168.5.1: ICMP echo request, id 13, seq 63781, length 40But I see no ICMP traffic on A's IPSec interface.
From B, I see no ICMP traffic on either the IPSec interface, nor the LAN interface as well.I have to say, I'm stumped.. I have added the proper rules to allow all traffic on site A OVPN tab and site B IPSec tab as my screenshots in my previous posting shows.
Clearly, something is wrong here but I really don't know what it could be at this point..
-
@kwriley87
Do you see the correct IPSec tunnels in Status > IPsec > SPDs on both sites?The settigns seems to be correct.
Maybe a reboot helps to get it up.
-
@viragomann I see the IPSec tunnel active on both ends and can ping back and forth between sites so that appears to be functional.
I'm just unable to ping to site B from OVPN clients.
I guess I'll schedule a reboot of both firewalls afterhours and see if that does the trick.. Thank you for your help.
-
@kwriley87 said in Open VPN clients unable to connect to IPSec site-to-site resources:
I see the IPSec tunnel active on both ends and can ping back and forth between sites so that appears to be functional.
There must be to tunnels. One for the LANs and one for the OpenVPN and site B' LAN.
And also in Status > IPsec > Overview both have to be displayed as connected.
-
@viragomann I believe I have this set up how it should be but if I'm doing it wrong please let me know. Apologies for such a long thread here.
Site A IPSec Setup:
https://pasteboard.co/KfhoLyz.pngSite B IPSec Setup:
https://pasteboard.co/Kfhp2BV.pngIPSec Status Site A:
https://pasteboard.co/Kfhpo2r.pngIPSec Status Site B:
https://pasteboard.co/KfhpOnf.png -
@kwriley87
The status screens don't show any tunnel.
Press this button to display them:
-
@viragomann My apologies, I'm only seeing the tunnel connecting the LANs together..
Site A:
https://pasteboard.co/KfhF6zJ.pngSite B:
https://pasteboard.co/KfhFuMv.pngTo be clear, if I look at my IPSec tunnels on Site A, there is only 1 Phase 1 tunnel set up, but 2 Phase 2 tunnels (one for Site A LAN to Site B LAN and one for OVPN LAN to Site B LAN):
https://pasteboard.co/KfhG7AH.pngDoes that look right?
-
@kwriley87 said in Open VPN clients unable to connect to IPSec site-to-site resources:
To be clear, if I look at my IPSec tunnels on Site A, there is only 1 Phase 1 tunnel set up, but 2 Phase 2 tunnels (one for Site A LAN to Site B LAN and one for OVPN LAN to Site B LAN):
https://pasteboard.co/KfhG7AH.pngYes, this is ok. And at B you should have the same, but with inverted networks.
The tunnel might go down if it's idle. You have to initiate traffic to get it up.
If not, check the IPSec log for hints.