I've got some troubles setting up my site-to site vpn based on PKI auth. The tunnel building stuff works fine so far but i'm having some routing (or firewalling troubles) on the pfsense box (i guess).
On Box B (Linux; see attached picture) I can ping hosts of net A e.g. host a1. So far so good, but b1 can not ping A or a1.
I traced the the packages a little bit and found out that they reach tun0 on A (pfsense box) but not vr1.
Of course remote network is set to 192.168.0.0/24 and local network to 192.168.0.0/24 on A - the pfsense box.
Any Ideas what/were the Problem would be in that case?
GruensFroeschli last edited by
Dont use a PKI for site-to-site.
It makes everything unnecessarily more complicated.
Search the forum for OpenVPN site-to-site since i described the steps needed multiple times.
Well as suggested I did a search for the sting 'site-to-site'.
However i was not able to find any useful topics that contain a solution for my problem:
May this was not the magical keyword to search for :(
Also I read the howto on openvpn.org but again I did not find anything helpful - the site only contains a setup example for PKI a site-to-site conf.
Additionally I changed from PKI to PSK which did not really help (read nothing); the only difference is that the routes do not get pushed any more to client lan (Server B) which is not really a problem for me as I can add the manually (on B) but this enables just the Server B to reach e.g. a1 and still not B's clients.
As described in my fist posting I think that the problem is located on Server A - the pfsense box as the icmp echos reach tun0 but do not get forwarded/routed to vr1. According to the pfsnese log none of this packets got blocked, a route exists.
Also e.g a1 can not ping b1 although there is a route to 192.168.2.0/24 -> 172.16.0.2 on A (the icmp packets never reach tun0 on A), but A itself can ping b1||B.
The route on A to the B LAN:
192.168.2 172.16.0.2 UGS 0 1572 tun1
Additional information on B's config etc: http://phpfi.com/373176
So in any case the packets hang on the pfsense box somewhere between vr1 and tun0.
Ok this was a tricky one:
I was doing a migration from ipsec to openvpn (bc/ ipsec does not support site-to-site where B as has a dynamic IP) and i still had my ipsec config activated - so this somewhat confused pfsense.
I disabled the tunnels in question on the ipsec page and my openvpn started working!