Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing over IPSec is not working fine.

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 213 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jokabo
      last edited by jokabo

      Hello,
      I have an issue with routing OpenVPN Client's over Site A through a IPSec tunnel to Site B.

      I already posted this issue on the facebook group and also check that with multiple pfsense admins - without success. Maybe I can find some help here.

      My Network Subnets:
      OpenVPN: 172.16.0.0/24
      Site A: 10.0.0.0/16
      Site B: 10.3.0.0/16
      Office: 10.100.0.0/16

      In the first step we can ignore the issues with office. As a workakround, I added a second tunnel to Site B from office. The most important issue is the OpenVPN. I just make some input for office issue too, maybe it helps with debugging.

      My Network:

      49b132e0-0935-48b7-a098-6c14732c9655-image.png

      All internal Traffic should be sendet over the Site A - it's like the HQ.

      My diagnostics:
      ✔ Site A can PING to Site B (IPSec)

      ✔ Site B can PING to Site A (IPSec)

      ✔ OpenVPN Clients can PING to Site A (OpenVPN)

      ✔ Office can PING to Site A (IPSec)

      ❌ OpenVPN Clients can PING to Site B over IPSec from Site A (OpenVPN => IPSec)

      ❌ Office can PING to Site B over IPSec from Site A (IPSec=> IPSec)

      What I did:
      ☑ I added a Phase 2 for 172.16.0.0/24 (local) to 10.3.0.0/16 (remote) on both sides. On Site B i changed the local and remote subnets.
      ☑ Also added a Phase 2 for 10.100.0.0/24 (local) to 10.3.0.0/16 (remote) on both sides. On Site B i changed the local and remote subnets.
      ☑ I added the push route setting to OpenVPN Config: push "route 10.3.0.0 255.255.0.0";
      ☑ I added allow all on all sites for testing reason.

      ➡ Now I start ping from Client 172.16.0.10 to Site B pfSense: 10.3.0.1.

      Failed.

      On Site A I can see the "success-rule" in firewall logs.
      be8bbf8f-38c6-413a-b1fc-60794d221fe5-image.png

      Also on Site A I also see the ICMP Packets with "Packet Capture" (Interface = OpenVPN):

      00:28:35.565868 IP 172.16.0.10 > 10.3.0.1: ICMP echo request, id 10429, seq 1, length 64
00:28:36.575877 IP 172.16.0.10 > 10.3.0.1: ICMP echo request, id 10430, seq 1, length 64
00:28:37.565659 IP 172.16.0.10 > 10.3.0.1: ICMP echo request, id 10431, seq 1, length 64

      ❌ On Site B I can't see any traffic. No Package Capture and no blocked rules. There is NOTHING.

      ⚠ Based on my tests, I think that the traffic on Site A is not forwarded to IPSec Tunnel for Site B. Same with the second IPSec Tunnel from Office to Site A to route traffic to Site B.

      Tracerote also ends on Site A.

      On the IPSec Status I can see that the "172.16.0.0" Tunnel is not active.

      IPSec Configuration

      IPSec Config Site A:
      6c38c0de-95fb-496d-9d35-7eb9bdcd16ea-image.png

      IPSec Config Site B:
      c5bc3497-3fe8-40f4-9912-bfd794feea96-image.png

      Any ideas how to Debug? What can be the issue? Any NAT fail? How can I check what happed to the accepted traffic from the openVPN clients?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.