Access printer from foreign network over IPSEC (multiple locations)

conor · May 29, 2019, 9:32 AM

@bashuis said in Access printer from foreign network over IPSEC (multiple locations):

now i get een reply back:
11:27:44.554463 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 250, seq 3382, length 36
11:27:44.554492 IP 10.130.76.136 > 172.16.0.26: ICMP echo reply, id 250, seq 3382, length 36
so the connection from pfsense01(LAN2) to the custommer is ok.

Good now you need to add a P2 entry to your IPSEC on both sides for the 172 network so they know how to talk to each other good explaination here: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-with-multiple-subnets.html

bashuis · May 29, 2019, 9:34 AM

should that like this?

pfsense01
172.16.0.0/24(local) --> 192.168.41.0/24(remote)

pfsense03
192.168.41.0/24(local) --> 172.16.0.0/24(remote)

conor · May 29, 2019, 9:35 AM

yes

bashuis · May 29, 2019, 9:43 AM

@conor
OK, i created the P2.
it is not UP, but that could be because there is no traffic going over it..

several other P2's over the samen P1 are online..

location 1 (pfsense01):

location 2 (pfsense02):

Should i disconnect and reconnect the whole IPSEC connection?

conor · May 29, 2019, 9:44 AM

on pfsense 02 for the sake of testing goto Firewall > Rules > IPSEC
add an allow all rule for this interface, you can fine tune it later this is just for testing

conor · May 29, 2019, 9:45 AM

@bashuis said in Access printer from foreign network over IPSEC (multiple locations):

Should i disconnect and reconnect the whole IPSEC connection?

if the down time isn't going to bother you probably best.

bashuis · May 29, 2019, 9:45 AM

@conor said in Access printer from foreign network over IPSEC (multiple locations):

sake of testing goto Firewall > Rules > IPSEC
add an allow all rule for this interface, you can fine tune it later this is just for testing

this rule was already active (for testing) on the IPSEC interface

conor · May 29, 2019, 9:47 AM

send a ping from the 172 network to the the printer ip in the 192 network, I'm half expecting this to fail, if it does check that you can still ping the 10.130.76.136 ip address.

bashuis · May 29, 2019, 9:48 AM

@conor said in Access printer from foreign network over IPSEC (multiple locations):

@bashuis said in Access printer from foreign network over IPSEC (multiple locations):

Should i disconnect and reconnect the whole IPSEC connection?

if the down time isn't going to bother you probably best.

@conor
that is not possible now, people are working over the other P2's

if it is needed i can shedule this later today/tonight

bashuis · May 29, 2019, 9:52 AM

@conor said in Access printer from foreign network over IPSEC (multiple locations):

send a ping from the 172 network to the the printer ip in the 192 network, I'm half expecting this to fail, if it does check that you can still ping the 10.130.76.136 ip address.

that is an problem, i have no access to the 172 network.

they started an permanent ping to 10.130.76.136 that i can use to debug.

i think we should NAT? 10.130.76.136 to 192.168.41.15

packet capturing on LAN2 (pfsense01) give now:
11:52:17.648234 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 250, seq 37518, length 36
11:52:17.648254 IP 10.130.76.132 > 172.16.0.26: ICMP time exceeded in-transit, length 36

conor · May 29, 2019, 9:52 AM

@bashuis
correct, the customer router doesn't understand where the 192 is located, so a NAT is now needed, just enable the ICMP NAT first for testing.

conor · May 29, 2019, 9:53 AM

@bashuis said in Access printer from foreign network over IPSEC (multiple locations):

packet capturing on LAN2 (pfsense01) give now:
11:52:17.648234 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 250, seq 37518, length 36
11:52:17.648254 IP 10.130.76.132 > 172.16.0.26: ICMP time exceeded in-transit, length 36

is that with the NAT?

bashuis · May 29, 2019, 9:56 AM

@conor said in Access printer from foreign network over IPSEC (multiple locations):

@bashuis said in Access printer from foreign network over IPSEC (multiple locations):

packet capturing on LAN2 (pfsense01) give now:
11:52:17.648234 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 250, seq 37518, length 36
11:52:17.648254 IP 10.130.76.132 > 172.16.0.26: ICMP time exceeded in-transit, length 36

is that with the NAT?

no before.

i added this NAT rule on interface LAN2 on pfsense01

now i see the same:
11:54:49.664412 IP 172.16.0.26 > 10.130.76.136: ICMP echo request, id 250, seq 41040, length 36
11:54:49.664433 IP 10.130.76.132 > 172.16.0.26: ICMP time exceeded in-transit, length 36

conor · May 29, 2019, 9:58 AM

@bashuis
If the ping is failing before you add the NAT there still is the problem of pfsense01 to 172 to resolve, remove the NAT rule until that is resolved.

conor · May 29, 2019, 9:59 AM

can you send me the Routes for the pfsense01 please, Diagnostics > Routes

bashuis · May 29, 2019, 10:10 AM

@conor said in Access printer from foreign network over IPSEC (multiple locations):

can you send me the Routes for the pfsense01 please, Diagnostics > Routes

i see i have made an mistake in the ip's from the custommerrouter and LAN2 (switched, same lan). this is correct:

also added the new P2

we could also have a look with teamviewer/telephone if you like?