Traffic will not route through site-to-site VPN
-
When we establish a successful VPN connection no traffic will flow through it. I have tried setting an outbound NAT rule, adding a pass any rule for the IPsec firewall, setting a static route, and set up test VPNs which have consistently reproduced the issue. I followed this guide https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-s2s-route-internet-traffic.html and traffic started flowing the way I wanted it, however this is only a proof of concept and not a solution as I only control one end of the tunnel. So I know it is in fact possible, I know others have run into the same issue and I've yet to find a solution that resolves my issue. Please let me know what more information you need from me.
-
- Did you point the admin of the peer VPN gateway to the guide that you used for the proof of concept?
- What other changes are necessary to turn the proof of concept into the production VPN?
Kind regards,
Mathias -
@mamawe
Unfortunately that isn't an option, we have 10 connections that are experiencing this issue and can't ask all of them to make the changes required on their end. And not only that, I can't recreate the connection explained in the guide for some odd reason. I now get an error when setting up the phase 2 tunnel for site A: "The local and remote networks of a phase 2 entry cannot overlap the outside of the tunnel (interface and remote gateway) configured in phase 1." -
@ctrl1122
I'm afraid I can't help you then.Did you examine the syslogs regarding the VPN? You can filter the messages so that even with 10 connections you can zoom in to the connection in question. Since the pfSense has only space for a certain amount of messages, it is a good idea to use a remote syslog server to get enough messages to analyze the problem.
-
@mamawe
Yeah the logs haven't been super helpful, without any traffic flowing there's really not much to look at. These 10 connections on the pfsense machine aren't currently active, we had to switch back to our old VPN server after we tried and failed to get traffic moving out of the tunnel.