Site-to-site routing

  • Hi there!

    I've got some troubles setting up my site-to site vpn based on PKI auth. The tunnel building stuff works fine so far but i'm having some routing (or firewalling troubles) on the pfsense box (i guess).

    On Box B (Linux; see attached picture) I can ping hosts of net A e.g. host a1. So far so good, but b1 can not ping A or a1.

    I traced the the packages a little bit and found out that they reach tun0 on A (pfsense box) but not vr1.

    Of course remote network is set to and local network to on A - the pfsense box.

    Any Ideas what/were the Problem would be in that case?


  • Dont use a PKI for site-to-site.
    It makes everything unnecessarily more complicated.

    Search the forum for OpenVPN site-to-site since i described the steps needed multiple times.

  • Well as suggested I did a search for the sting 'site-to-site'.

    However i was not able to find any useful topics that contain a solution for my problem:,9933.0.html,7457.0.html,10048.0.html,7009.0.html
    May this was not the magical keyword to search for :(

    Also I read the howto on but again I did not find anything helpful - the site only contains a setup example for PKI a site-to-site conf.

    Additionally I changed from PKI to PSK which did not really help (read nothing); the only difference is that the routes do not get pushed any more to client lan (Server B) which is not really a problem for me as I can add the manually (on B) but this enables just the Server B to reach e.g. a1 and still not B's clients.

    As described in my fist posting I think that the problem is located on Server A - the pfsense box as the icmp echos reach tun0 but do not get forwarded/routed to vr1. According to the pfsnese log none of this packets got blocked, a route exists.

    Also e.g a1 can not ping b1 although there is a route to -> on A (the icmp packets never reach tun0 on A), but A itself can ping b1||B.

    The route on A to the B LAN:
    192.168.2        UGS        0    1572  tun1

    Additional information on B's config etc:

    So in any case the packets hang on the pfsense box somewhere between vr1 and tun0.

  • Ok this was a tricky one:

    I was doing a migration from ipsec to openvpn (bc/ ipsec does not support site-to-site where B as has a dynamic IP) and i still had my ipsec config activated - so this somewhat confused pfsense.

    I disabled the tunnels in question on the ipsec page and my openvpn started working!

Log in to reply