Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No traffic through site-to-site

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 264 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      panbampan
      last edited by

      GOAL:
      Remote connect a single device from Site B to Site A.
      Have device on Site B use Site A's internet connection.
      Ideally, limit Site B to only use Site A's internet connection (Site B no have access to Site A LAN & resources)

      LAYOUT:
      Two netgates: Site A and Site B
      Site A has netgate at perimeter, directly connected to modem.
      Site B has netgate inside of a primary network router that is connected to modem.

      SUCCESSES:
      I am able to set up Site A an OpenVPN remote connection service and connect to it w/ phones and laptops.
      Site B, however, has no 'remote connection' option, only site-to-site.

      I set up a VPN tunnel between Site A and Site B with IPSec.
      From Site A, I can see Site B connect.

      ISSUES:
      Site A cannot ping resources/devices on Site B, and vice versa

      I think the problem is that responses from Site A to Site B are not reaching the netgate. I thought it may be due to the one at Site B being behind a router, but I get same behavior when plugging netgate directly to modem.

      PARTS OF LOG:
      Site A IP: AAA.AAA.AAA.AAA
      Site B IP: BBB.BBB.BBB.BBB

      Jun 19 12:56:21 charon 93934 13[NET] <con100000|6> received packet: from BBB.BBB.BBB.BBB[500] to AAA.AAA.AAA.AAA[500] (80 bytes)
      Jun 19 12:56:21 charon 93934 13[ENC] <con100000|6> parsed INFORMATIONAL request 11 [ ]
      Jun 19 12:56:21 charon 93934 13[ENC] <con100000|6> generating INFORMATIONAL response 11 [ ]
      Jun 19 12:56:21 charon 93934 13[NET] <con100000|6> sending packet: from AAA.AAA.AAA.AAA[500] to BBB.BBB.BBB.BBB[500] (80 bytes)
      ...
      Jun 19 12:59:23 charon 93934 08[CFG] vici client 311 connected
      Jun 19 12:59:23 charon 93934 11[CFG] vici client 311 registered for: list-sa
      Jun 19 12:59:23 charon 93934 08[CFG] vici client 311 requests: list-sas
      Jun 19 12:59:23 charon 93934 08[CFG] vici client 311 disconnected
      ...
      Jun 19 12:58:50 charon 93934 13[IKE] <con100000|6> retransmit 5 of request with message ID 36
      Jun 19 12:58:50 charon 93934 13[NET] <con100000|6> sending packet: from AAA.AAA.AAA.AAA[500] to BBB.BBB.BBB.BBB[500] (80 bytes)
      ...
      Jun 19 13:00:06 charon 93934 08[IKE] <con100000|6> giving up after 5 retransmits
      Jun 19 13:00:06 charon 93934 08[CFG] <con100000|6> updating already routed CHILD_SA 'con100000'
      Jun 19 13:00:06 charon 93934 08[CFG] <con100000|6> configured proposals: ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
      Jun 19 13:00:06 charon 93934 08[CHD] <con100000|6> CHILD_SA con100000{6} state change: CREATED => ROUTED
      Jun 19 13:00:06 charon 93934 08[CHD] <con100000|6> CHILD_SA con100000{4} state change: ROUTED => DESTROYING
      Jun 19 13:00:06 charon 93934 08[IKE] <con100000|6> IKE_SA con100000[6] state change: ESTABLISHED => DESTROYING
      Jun 19 13:00:06 charon 93934 08[CHD] <con100000|6> CHILD_SA con100000{5} state change: INSTALLED => DESTROYING
      Jun 19 13:00:25 charon 93934 00[DMN] SIGTERM received, shutting down
      Jun 19 13:00:25 charon 93934 00[CHD] CHILD_SA con100000{6} state change: ROUTED => DESTROYING

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.