Site to Site VPN Tunnel not working correctly

itadmin

Hi Everyone,
  I am configuring a site to site vpn tunnel between Pfsense and a juniper netscreen. The link appears to be up but I can't ping the other side of the tunnel. Is there anything I am missing besides turning on IPSEC and adding the tunnel as I have already done? Below is a rough sketch of what I am trying to accomplish. Maybe I am missing some routing step or something of that nature. I am not sure where I am failing. This is my first attempt of a tunnel as well.

Main                                              Branch

Inside IP–---------Firewall--------interenet-----------firewall------------------------- router--------------
10.0.0.0/24          static                                            static      172.16.100.0/24              Wanted Vlan
                                                                                                                                            172.16.101.0/24

GruensFroeschli

You have to create firewall-rules that allow traffic.
Per default everything is blocked.

itadmin

I have an IPSEC rule saying permit any any, I thought thats all I needed?

psylo

What are the configured trafic endpoints?
10.0.0.0/24 for one side & 172.16.101.0/24 for the other side I supposed.

Next, have you added a route (in the Branch pfSense) mentionning that 172.16.101.0/24 network is beside the router?

Last, you can make a tcpdump on the branch pfSense to see if packet are going through it…

Hope this helps.

itadmin

Hi,
  The main office has the local lan IP of 10.0.0.0/24 and the branch office is using a local lan of 172.16.101.0/24. Both wan's have static IP. The main office is using the pfsense firewall and the branch office is using a juniper netscreen. I went through the IPSEC tunnel creation page and also setup a rule in the ipsec section that allowed all. I thought that's all I had to do. On the juniper it appears that it's receiving keep alives but not responding.
  Do you believe that I need to configure routes on my pfsense as well? THe fact that the keep alive shows the main office local lan ip of 10.0.0.3 was showing up in the juniper log at the branch office made me assume it was working from the pfsense side.

psylo

@itadmin:

Hi,
  The main office has the local lan IP of 10.0.0.0/24 and the branch office is using a local lan of 172.16.101.0/24. Both wan's have static IP. The main office is using the pfsense firewall and the branch office is using a juniper netscreen. I went through the IPSEC tunnel creation page and also setup a rule in the ipsec section that allowed all. I thought that's all I had to do. On the juniper it appears that it's receiving keep alives but not responding.
  Do you believe that I need to configure routes on my pfsense as well? THe fact that the keep alive shows the main office local lan ip of 10.0.0.3 was showing up in the juniper log at the branch office made me assume it was working from the pfsense side.

I did not say you need to configure a route in your pfSense but in the branch firewall - as you never have mentionned it was a Juniper, I've supposed it was a pfSense.

By the way, if I've understood your first scheme, you want to access to the LAN which is behind the router.

Have you a rule on your Juniper permitting this trafic?
What is the routing table of the Juniper?
What is the routing table of the router?
What is the default gateway of the desktop which are in the LAN 172.16.101.0/24?

psylo

@itadmin:

Hi,
  I decided to try a tunnel to the 172.16.100.x network for the time being just so I can see if I can get that one up first without having to go behind the router.
  When I ping from inside the juniper firewall I can get across. But the router behind the firewall can't seem to make it. Also from the main office over to the branch nothing happen. I will post my juniper config below. I assumed for some reason that if my firewall with a 172.16.100.254 address can ping across then so should the router on 172.16.100.1 be able to as well?

Badly, I don't know Juniper firewall but I suppose that success ping from LAN interface does not mean that someone on the LAN can ping through the Juniper… It's necessary to check how Juniper manage packets: does the packets goes through the NAT first, then the VPN and so on... Do you see what I mean?

Last but not least, I suppose that the Juniper is the default gateway for your Branch LAN? If not, you'll have to add a route on this default gateway telling that the Main Office LAN is behind the Juniper...

Hope this helps.