Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OPENVPN SITE-TO-SITE Tunel does not connect

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 4 Posters 714 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PedroBelliato
      last edited by

      Good afternoon guys, I have the following scenario:

      company A - LAN 192.168.0.0/24

      company B - LAN 192.168.20.0/24

      Tunnel OPENVPN 172.16.0.0/30

      Port: 1194 released on Wan, and configured protocol release in openvpn rules.

      However, when trying to close the tunnel I am getting the following MSG in the log

      company A OPENVPN server:
      0_1541207906626_d027638f-54c4-4a3c-8ee0-5456b3787e3a-image.png

      Server log:
      0_1541207933711_cac726cd-3b39-4a1c-935b-bf19cbfccfaa-image.png

      Client -
      0_1541207965955_9d4a957e-ac49-41e4-9fe2-0b836f01da60-image.png

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        It looks like you have a tunnel subnet mismatch. The server seems to be expecting 172.16.0.0-172.16.0.1 andf the client 172.16.0.1-172.16.0.2. The client side seems correct. Hard to say quite how that might have been configured.
        Are both sides set as p2p shared key?

        Both as subnet rather than net/30? (You can only choose subnet in p2p shared-key).

        Can we see screenshots of the config on both sides?

        Steve

        1 Reply Last reply Reply Quote 0
        • M
          marvosa
          last edited by marvosa

          A couple of things:

          • Give us the whole picture. It's evident that Company A's config is not from PFsense, so please provide more clarity on the two networks, what the edge devices are, etc

          • You've stated that Company A is the server, but it looks like the client to me. Post the config from Company B (server1.conf).

          • On Company A's config, the ifconfig line is wrong. 172.16.0.0 is a network address and shouldn't be in there. That line should read:

          ifconfig {IP_of_Local_VPN_Endpoint} {IP_of_Remote_VPN_Endpoint}
          
          1 Reply Last reply Reply Quote 0
          • P
            PedroBelliato
            last edited by

            Good night, I thank you for the help comments, I was able to solve the problem, in fact as it is a pfsense implementation from scratch, I was using version 2.4.4 that caused an incompatibility with firewall A, so I went back to the version 2.3.5 and the problem was resolved.

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by stephenw10

              Hmm, interesting. It should be backwards compatible. You should be able to get whatever is at firewall A to connect to 2.4.4 if it can connect to 2.3.5.
              2.3.X is EoL now. There will no longer be security updates for it.

              Steve

              1 Reply Last reply Reply Quote 1
              • RicoR
                Rico LAYER 8 Rebel Alliance
                last edited by

                packet HMAC authentication failed is very often just down to wrong TLS Configuration or wrong key / key direction.
                Going just back to some old Version like 2.3.5 is a very bad idea.

                -Rico

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.