Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Traffic will not route through site-to-site VPN

    IPsec
    2
    5
    285
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      ctrl1122 last edited by

      When we establish a successful VPN connection no traffic will flow through it. I have tried setting an outbound NAT rule, adding a pass any rule for the IPsec firewall, setting a static route, and set up test VPNs which have consistently reproduced the issue. I followed this guide https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-s2s-route-internet-traffic.html and traffic started flowing the way I wanted it, however this is only a proof of concept and not a solution as I only control one end of the tunnel. So I know it is in fact possible, I know others have run into the same issue and I've yet to find a solution that resolves my issue. Please let me know what more information you need from me.

      M 1 Reply Last reply Reply Quote 0
      • M
        mamawe @ctrl1122 last edited by

        @ctrl1122

        • Did you point the admin of the peer VPN gateway to the guide that you used for the proof of concept?
        • What other changes are necessary to turn the proof of concept into the production VPN?

        Kind regards,
        Mathias

        C 1 Reply Last reply Reply Quote 0
        • C
          ctrl1122 @mamawe last edited by

          @mamawe
          Unfortunately that isn't an option, we have 10 connections that are experiencing this issue and can't ask all of them to make the changes required on their end. And not only that, I can't recreate the connection explained in the guide for some odd reason. I now get an error when setting up the phase 2 tunnel for site A: "The local and remote networks of a phase 2 entry cannot overlap the outside of the tunnel (interface and remote gateway) configured in phase 1."

          M 1 Reply Last reply Reply Quote 0
          • M
            mamawe @ctrl1122 last edited by

            @ctrl1122
            I'm afraid I can't help you then.

            Did you examine the syslogs regarding the VPN? You can filter the messages so that even with 10 connections you can zoom in to the connection in question. Since the pfSense has only space for a certain amount of messages, it is a good idea to use a remote syslog server to get enough messages to analyze the problem.

            C 1 Reply Last reply Reply Quote 0
            • C
              ctrl1122 @mamawe last edited by

              @mamawe
              Yeah the logs haven't been super helpful, without any traffic flowing there's really not much to look at. These 10 connections on the pfsense machine aren't currently active, we had to switch back to our old VPN server after we tried and failed to get traffic moving out of the tunnel.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post