No traffic through site-to-site
-
GOAL:
Remote connect a single device from Site B to Site A.
Have device on Site B use Site A's internet connection.
Ideally, limit Site B to only use Site A's internet connection (Site B no have access to Site A LAN & resources)LAYOUT:
Two netgates: Site A and Site B
Site A has netgate at perimeter, directly connected to modem.
Site B has netgate inside of a primary network router that is connected to modem.SUCCESSES:
I am able to set up Site A an OpenVPN remote connection service and connect to it w/ phones and laptops.
Site B, however, has no 'remote connection' option, only site-to-site.I set up a VPN tunnel between Site A and Site B with IPSec.
From Site A, I can see Site B connect.ISSUES:
Site A cannot ping resources/devices on Site B, and vice versaI think the problem is that responses from Site A to Site B are not reaching the netgate. I thought it may be due to the one at Site B being behind a router, but I get same behavior when plugging netgate directly to modem.
PARTS OF LOG:
Site A IP: AAA.AAA.AAA.AAA
Site B IP: BBB.BBB.BBB.BBBJun 19 12:56:21 charon 93934 13[NET] <con100000|6> received packet: from BBB.BBB.BBB.BBB[500] to AAA.AAA.AAA.AAA[500] (80 bytes)
Jun 19 12:56:21 charon 93934 13[ENC] <con100000|6> parsed INFORMATIONAL request 11 [ ]
Jun 19 12:56:21 charon 93934 13[ENC] <con100000|6> generating INFORMATIONAL response 11 [ ]
Jun 19 12:56:21 charon 93934 13[NET] <con100000|6> sending packet: from AAA.AAA.AAA.AAA[500] to BBB.BBB.BBB.BBB[500] (80 bytes)
...
Jun 19 12:59:23 charon 93934 08[CFG] vici client 311 connected
Jun 19 12:59:23 charon 93934 11[CFG] vici client 311 registered for: list-sa
Jun 19 12:59:23 charon 93934 08[CFG] vici client 311 requests: list-sas
Jun 19 12:59:23 charon 93934 08[CFG] vici client 311 disconnected
...
Jun 19 12:58:50 charon 93934 13[IKE] <con100000|6> retransmit 5 of request with message ID 36
Jun 19 12:58:50 charon 93934 13[NET] <con100000|6> sending packet: from AAA.AAA.AAA.AAA[500] to BBB.BBB.BBB.BBB[500] (80 bytes)
...
Jun 19 13:00:06 charon 93934 08[IKE] <con100000|6> giving up after 5 retransmits
Jun 19 13:00:06 charon 93934 08[CFG] <con100000|6> updating already routed CHILD_SA 'con100000'
Jun 19 13:00:06 charon 93934 08[CFG] <con100000|6> configured proposals: ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Jun 19 13:00:06 charon 93934 08[CHD] <con100000|6> CHILD_SA con100000{6} state change: CREATED => ROUTED
Jun 19 13:00:06 charon 93934 08[CHD] <con100000|6> CHILD_SA con100000{4} state change: ROUTED => DESTROYING
Jun 19 13:00:06 charon 93934 08[IKE] <con100000|6> IKE_SA con100000[6] state change: ESTABLISHED => DESTROYING
Jun 19 13:00:06 charon 93934 08[CHD] <con100000|6> CHILD_SA con100000{5} state change: INSTALLED => DESTROYING
Jun 19 13:00:25 charon 93934 00[DMN] SIGTERM received, shutting down
Jun 19 13:00:25 charon 93934 00[CHD] CHILD_SA con100000{6} state change: ROUTED => DESTROYING