Site-to-site OpenVPN using PKI not working properly.



  • Hello all you good people 8)

    I tried to set up a site to site PKI OpenVPN between with 2 sites.
    I followed the sticky 'Site-To-Site OpenVPN using PKI (something of a howto)' 
    http://forum.pfsense.org/index.php?topic=12888.0

    I can get from the client to the server, but not from the server to the client.
    From what I read in the sticky, I understand you should be able to go both ways.

    I did add the routes in the 'Custom Options' field, and the routes seem correct, traffic distained for the remote LAN are routed to the VPN.
    10.0.2.0/24 is the remote LAN and 10.0.3.0/24 is the VPN address pool.

    10.0.2.0/24    10.10.3.2  UGS  0 0 1500 tun0 
    10.10.3.2      10.10.3.1  UH  1 0 1500 tun0

    And… When I ping from the client LAN to the server LAN, I do get a response, so that response is going through the VPN... It just seems connections initiated from the server site does not get through.

    As soon as I change from using PKI to Shared Key, and enter the server's network as the 'Remote Network' on the client (the 'remote network' field is greyed out when using PKI), it works fine. I can pass traffic both ways.

    Im I incorrect in thinking that traffic should be bi-directional for a PKI OpenVPN?

    If anyone has come across this, please let me know.
    Thanks to all and Merry Christmas



  • What are your firewallrules on the LANtab? (screenshot?)
    Do you use multiWAN?



  • Hey buddy,
    Thanks for your interest…

    I guess it actually is using multiWAN...
    This is a lab environment, I got the opt1 port of the server connected directly (with a crossover cable) to the WAN port of the client.
    So the fact that you asked me about mulitWAN makes me think...

    See the screenshot, its a Any any any... rule. and thats the same for the client LAN / WAN and the server opt1
    And remember, I can go both directions when I change the authentication method to 'Shared Key'...

    See the screenshots of the route tables, they are the same except they use different ip's from the VPN address pool (but Im thinking thats normal).

    And when I try ping (both directions), the 'use' number for the routes  goes up.

    So it seems the main thing is that when I use 'shared key', I am able to specify the 'Remote Network' on the client...

    Thanks for your help.
    Peace Out.








  • Hello Izinyoka,

    I wrote up the howto, and the setup definitely allows for pinging machines on the server network from the client network.

    I'm having a little trouble understanding your network setup, though.  Could you post a little ascii diagram of the network setup?

    If you're still playing around with this, I'd be happy to answer some questions based on my current setup (though I don't really have any special expertise solving problems over forums).

    -ffh->



  • Hey Franky

    I tested this again on 1.2.2 over a wan link and it works just fine, so sorry about all this.
    Your how-to is spot on, top class!
    Cheers


Locked