Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Site-to-site VPN, can only connect one direction to appliance

    OpenVPN
    3
    14
    242
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      LamboJ last edited by

      Hi,
      I have 2 XG-7100 pfense appliances in a site to site VPN using OpenVPN. Let's call them Site A with Appliance A, and Site B with Appliance B.

      All hosts from Site A can ping Site B and vice versa. However, I'm not able to connect to the LAN interface of Appliance B from Site A. I am able to connect to the LAN interface of Appliance A from Site B, and I'm also able to connect to Appliance A using the using the openvpn tunnel IP.

      I know there are some other similar postings, but I didn't find those applicable to this specific case.

      I checked the firewall logs, and don't see anything in there. Any other ideas on what I can check to debug?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • Rico
        Rico LAYER 8 Rebel Alliance last edited by

        Please share your OpenVPN Configuration, Firewall Rules and LAN Interface Configuration via Screenshots.
        ATM we know nothing about your setup, not even which OpenVPN server mode you are running.

        -Rico

        L 1 Reply Last reply Reply Quote 1
        • L
          LamboJ @Rico last edited by

          @rico said in Site-to-site VPN, can only connect one direction to appliance:

          Please share your OpenVPN Configuration, Firewall Rules and LAN Interface Configuration via Screenshots.
          ATM we know nothing about your setup, not even which OpenVPN server mode you are running.

          -Rico

          Hi,
          Please find screenshots here: https://imgur.com/a/Wgumzm3

          Let me know if there's any other info, I can provide.

          Thanks

          1 Reply Last reply Reply Quote 0
          • Rico
            Rico LAYER 8 Rebel Alliance last edited by Rico

            192.168.96.0/19 overlaps your tunnel network 192.168.121.0/24
            Why do you use /19 as Remote Networks and not your 192.168.33.0/24 and 192.168.97.0/24 to be more specific?
            BTW, you can upload pictures directly into the forum.

            -Rico

            L 1 Reply Last reply Reply Quote 0
            • L
              LamboJ @Rico last edited by

              @rico said in Site-to-site VPN, can only connect one direction to appliance:

              192.168.96.0/19 overlaps your tunnel network 192.168.121.0/24
              Why do you use /19 as Remote Networks and not your 192.168.33.0/24 and 192.168.97.0/24 to be more specific?
              BTW, you can upload pictures directly into the forum.

              -Rico

              Shouldn't the tunnel be part of the of the network to be routed? i.e. part of site B, given site B is acting as the server?

              I've used /19 so I can add more VLANs to each site without having to reconfigure anything.

              1 Reply Last reply Reply Quote 0
              • Rico
                Rico LAYER 8 Rebel Alliance last edited by

                No, the tunnel network is used internally by OpenVPN between tunnel endpoints.
                Pick a network that it is not in use locally or at any remote site.

                -Rico

                L 1 Reply Last reply Reply Quote 1
                • Pippin
                  Pippin last edited by

                  Informational:
                  https://community.openvpn.net/openvpn/wiki/AvoidRoutingConflicts

                  1 Reply Last reply Reply Quote 1
                  • L
                    LamboJ @Rico last edited by

                    @rico said in Site-to-site VPN, can only connect one direction to appliance:

                    No, the tunnel network is used internally by OpenVPN between tunnel endpoints.
                    Pick a network that it is not in use locally or at any remote site.

                    -Rico

                    I've changed the tunnel network to: 192.168.224.0/30 (on both appliances), but still seeing the same issue.

                    1 Reply Last reply Reply Quote 0
                    • Rico
                      Rico LAYER 8 Rebel Alliance last edited by

                      Did you try to be more specific with the Remote networks?
                      For the box with pfSense LAN IP 192.168.33.1/24 set the OpenVPN Remote network to 192.168.97.0/24
                      For the box with pfSense LAN IP 192.168.97.1/24 set the OpenVPN Remote network to 192.168.33.0/24

                      -Rico

                      L 1 Reply Last reply Reply Quote 0
                      • L
                        LamboJ @Rico last edited by

                        @rico said in Site-to-site VPN, can only connect one direction to appliance:

                        Did you try to be more specific with the Remote networks?
                        For the box with pfSense LAN IP 192.168.33.1/24 set the OpenVPN Remote network to 192.168.97.0/24
                        For the box with pfSense LAN IP 192.168.97.1/24 set the OpenVPN Remote network to 192.168.33.0/24

                        -Rico

                        Just tried that as well, unfortunately no luck.

                        1 Reply Last reply Reply Quote 0
                        • Rico
                          Rico LAYER 8 Rebel Alliance last edited by Rico

                          Could there be something else overlapping, like an IPsec tunnel?
                          What exactly is not working? You can't ping 192.168.97.1 from that 192.168.33.1 pfSense Box?

                          -Rico

                          L 1 Reply Last reply Reply Quote 0
                          • L
                            LamboJ @Rico last edited by LamboJ

                            @rico said in Site-to-site VPN, can only connect one direction to appliance:

                            Could there be something else overlapping, like an IPsec tunnel?
                            What exactly is not working? You can't ping 192.168.97.1 from that 192.168.33.1 pfSense Box?

                            -Rico

                            Correct, the issue is that I can't ping 192.168.97.1 from anywhere in Site A. So I can' t ping 192.168.97.1 from 192.168.33.1 or from any other hosts like 192.168.33.2, etc.

                            Site A doesn't have any ipsec tunnels. Site B (192.168.97.0/24) has an IPSec tunnel to Site C which is an Azure gateway (not pfsense). Here's the configuration:
                            5abc9d76-a0ab-4445-a0ff-d683c35cba33-image.png

                            1 Reply Last reply Reply Quote 0
                            • Rico
                              Rico LAYER 8 Rebel Alliance last edited by

                              Your IPSec Local Network overlaps 192.168.97.0/24 and 192.168.33.0/24
                              I'm not really into IPsec, but pretty sure it could grab that OpenVPN traffic.
                              TBH, I lose track a bit about your whole setup, it is not easy to follow which site is which Configuration, Rules or even local/remote networks.
                              It could help to sketch up your network layout.

                              -Rico

                              L 1 Reply Last reply Reply Quote 0
                              • L
                                LamboJ @Rico last edited by

                                @rico said in Site-to-site VPN, can only connect one direction to appliance:

                                Your IPSec Local Network overlaps 192.168.97.0/24 and 192.168.33.0/24
                                I'm not really into IPsec, but pretty sure it could grab that OpenVPN traffic.
                                TBH, I lose track a bit about your whole setup, it is not easy to follow which site is which Configuration, Rules or even local/remote networks.
                                It could help to sketch up your network layout.

                                -Rico

                                Thanks for all your help, but it actually looks like everything was correct in terms of settings, I just needed to reboot the appliance and it worked. I didn't realize rebooting would help here

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post

                                Products

                                • Platform Overview
                                • TNSR
                                • pfSense
                                • Appliances

                                Services

                                • Training
                                • Professional Services

                                Support

                                • Subscription Plans
                                • Contact Support
                                • Product Lifecycle
                                • Documentation

                                News

                                • Media Coverage
                                • Press
                                • Events

                                Resources

                                • Blog
                                • FAQ
                                • Find a Partner
                                • Resource Library
                                • Security Information

                                Company

                                • About Us
                                • Careers
                                • Partners
                                • Contact Us
                                • Legal
                                Our Mission

                                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                Subscribe to our Newsletter

                                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                © 2021 Rubicon Communications, LLC | Privacy Policy