Open VPN clients unable to connect to IPSec site-to-site resources
-
@kwriley87
Should work from the point of routing.
Ensure that you have firewall rules in place on all involved interfaces which allow the access.
Also ensure that the destination device allow the access. -
@viragomann Which firewall rules, specifically do I need? Apologies if this is something basic I'm not understanding.
-
@kwriley87
Yeah, firewalling seems basic, as you're running already different VPN instances on pfSense.On the the OpenVPN tab you at A and on the IPSec tab at B you need proper rules to allow access from the VPN tunnel network.
-
The OpenVPN tab on Site A looks to already have the rules in place to allow all traffic, unless I'm missing something:
https://pasteboard.co/KfgHjhE.pngAnd from Site B, the IPSec tab:
https://pasteboard.co/KfgHCUJ.png -
@kwriley87
Should actually work with these settigs.
Ensure that the destination device does not block the access.To troubleshoot sniff the packets on the involved interfaces while you ping from an OpenVPN client. If the firewalls are well configured, you should see them on A's OpenVPN and IPSec interface and on B's IPSec and LAN.
-
I'm testing by pinging Site B firewall from OVPN client.
I see the ICMP traffic on A's OVPN interface:
12:41:08.215283 IP 192.168.200.2 > 192.168.5.1: ICMP echo request, id 13, seq 63781, length 40But I see no ICMP traffic on A's IPSec interface.
From B, I see no ICMP traffic on either the IPSec interface, nor the LAN interface as well.I have to say, I'm stumped.. I have added the proper rules to allow all traffic on site A OVPN tab and site B IPSec tab as my screenshots in my previous posting shows.
Clearly, something is wrong here but I really don't know what it could be at this point..
-
@kwriley87
Do you see the correct IPSec tunnels in Status > IPsec > SPDs on both sites?The settigns seems to be correct.
Maybe a reboot helps to get it up.
-
@viragomann I see the IPSec tunnel active on both ends and can ping back and forth between sites so that appears to be functional.
I'm just unable to ping to site B from OVPN clients.
I guess I'll schedule a reboot of both firewalls afterhours and see if that does the trick.. Thank you for your help.
-
@kwriley87 said in Open VPN clients unable to connect to IPSec site-to-site resources:
I see the IPSec tunnel active on both ends and can ping back and forth between sites so that appears to be functional.
There must be to tunnels. One for the LANs and one for the OpenVPN and site B' LAN.
And also in Status > IPsec > Overview both have to be displayed as connected.
-
@viragomann I believe I have this set up how it should be but if I'm doing it wrong please let me know. Apologies for such a long thread here.
Site A IPSec Setup:
https://pasteboard.co/KfhoLyz.pngSite B IPSec Setup:
https://pasteboard.co/Kfhp2BV.pngIPSec Status Site A:
https://pasteboard.co/Kfhpo2r.pngIPSec Status Site B:
https://pasteboard.co/KfhpOnf.png -
@kwriley87
The status screens don't show any tunnel.
Press this button to display them:
-
@viragomann My apologies, I'm only seeing the tunnel connecting the LANs together..
Site A:
https://pasteboard.co/KfhF6zJ.pngSite B:
https://pasteboard.co/KfhFuMv.pngTo be clear, if I look at my IPSec tunnels on Site A, there is only 1 Phase 1 tunnel set up, but 2 Phase 2 tunnels (one for Site A LAN to Site B LAN and one for OVPN LAN to Site B LAN):
https://pasteboard.co/KfhG7AH.pngDoes that look right?
-
@kwriley87 said in Open VPN clients unable to connect to IPSec site-to-site resources:
To be clear, if I look at my IPSec tunnels on Site A, there is only 1 Phase 1 tunnel set up, but 2 Phase 2 tunnels (one for Site A LAN to Site B LAN and one for OVPN LAN to Site B LAN):
https://pasteboard.co/KfhG7AH.pngYes, this is ok. And at B you should have the same, but with inverted networks.
The tunnel might go down if it's idle. You have to initiate traffic to get it up.
If not, check the IPSec log for hints.