Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing issue communicating over Site to Site VPN

    Scheduled Pinned Locked Moved
    OpenVPN
    2
    12
    731
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Alasdair
      last edited by

      I am having an issue with communicating over an OpenVPN site to site VPN. The connection establishes, but for some reason I am having issues with A -> B site network communications, whilst some B -> A network communications do work.

      I have pfSense at both sites, each with a /29 block of Failover/Floating IP's. I have a number of NIC's assigned to pfSense, with Outbound NAT pushing my additional Failover IP's as VIP's. For the site-to-site VPN setup, however, I am using the WAN uplink at both sites.

      The OpenVPN interface is enabled, and the gateway configured in System > Routing > Gateways.

      c4cc63bf-2687-43a6-a6f7-7487b5e34f16-image.png

      I have seen in numerous other posts that it is recommended to use a /30 network for the Tunnel Network, however, when I make this change, OpenVPN server and client fail to start.

      Site A (Server) tunnel settings:

      f181e9f2-2952-4b36-86b1-dd91a0f71c37-image.png

      Site A - Client Specific Override:

      acdcf92f-c5a3-41a6-9d4c-9cbbf065f477-image.png

      Site B tunnel settings:

      d1824ecc-9282-46b6-83fe-cdbb89943591-image.png

      Routes (routes are shown even when I disable the Static Routes on both sides):

      dec2277a-47dc-45d3-91d5-061d5b738f93-image.png

      Ping tests (Left - server | Right - client):

      2547b5e1-04bc-44e8-9462-105981c21c78-image.png

      Packet capture of failed ping from Site A to Site B:

      20:37:26.008775 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 264, length 9
20:37:26.008786 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 264, length 9
20:37:26.235515 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 200, length 9
20:37:26.236351 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 200, length 9
20:37:26.550488 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 265, length 9
20:37:26.550511 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 265, length 9
20:37:26.752493 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 201, length 9
20:37:26.753269 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 201, length 9
20:37:27.067650 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 266, length 9
20:37:27.067661 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 266, length 9
20:37:27.294003 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 202, length 9
20:37:27.294874 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 202, length 9
20:37:27.608893 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 267, length 9
20:37:27.608904 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 267, length 9
20:37:27.835483 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 203, length 9
20:37:27.836396 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 203, length 9
20:37:28.150426 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 268, length 9
20:37:28.150438 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 268, length 9
20:37:28.352712 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 204, length 9
20:37:28.353820 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 204, length 9
20:37:28.667650 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 269, length 9
20:37:28.667662 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 269, length 9
20:37:28.894057 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 205, length 9
20:37:28.895169 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 205, length 9
20:37:29.208792 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 270, length 9
20:37:29.208802 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 270, length 9
20:37:29.435355 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 206, length 9
20:37:29.436129 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 206, length 9
20:37:29.750348 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 271, length 9
20:37:29.750360 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 271, length 9
20:37:29.952605 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 207, length 9
20:37:29.953410 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 207, length 9
20:37:30.267476 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 272, length 9
20:37:30.267486 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 272, length 9
20:37:30.493959 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 208, length 9
20:37:30.494930 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 208, length 9
20:37:30.808930 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 273, length 9
20:37:30.808941 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 273, length 9
20:37:31.035292 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 209, length 9
20:37:31.036208 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 209, length 9
20:37:31.335519 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 274, length 9
20:37:31.335530 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 274, length 9
20:37:31.552617 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 210, length 9
20:37:31.553491 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 210, length 9
20:37:31.867766 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 275, length 9
20:37:31.867777 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 275, length 9
20:37:32.091002 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 211, length 9
20:37:32.091752 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 211, length 9
20:37:32.409079 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 276, length 9
20:37:32.409090 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 276, length 9
20:37:32.602708 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 212, length 9
20:37:32.603564 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 212, length 9
20:37:32.950721 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 277, length 9
20:37:32.950733 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 277, length 9
20:37:33.132394 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 213, length 9
20:37:33.133294 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 213, length 9
20:37:33.467487 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 278, length 9
20:37:33.467498 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 278, length 9
20:37:33.652620 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 214, length 9
20:37:33.653520 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 214, length 9
20:37:34.008931 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 279, length 9
20:37:34.008942 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 279, length 9
20:37:34.193900 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 215, length 9
20:37:34.194531 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 215, length 9
20:37:34.550537 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 280, length 9
20:37:34.550552 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 280, length 9
20:37:34.735295 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 216, length 9
20:37:34.736175 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 216, length 9
20:37:35.067728 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 281, length 9
20:37:35.067739 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 281, length 9
20:37:35.246241 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 217, length 9
20:37:35.247009 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 217, length 9
20:37:35.609192 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 282, length 9
20:37:35.609204 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 282, length 9
20:37:35.787593 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 218, length 9
20:37:35.788407 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 218, length 9
20:37:36.150658 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 283, length 9
20:37:36.150670 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 283, length 9
20:37:36.302733 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 219, length 9
20:37:36.303636 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 219, length 9
20:37:36.667759 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 284, length 9
20:37:36.667785 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 284, length 9
20:37:36.844047 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 220, length 9
20:37:36.844851 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 220, length 9
20:37:37.208934 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 285, length 9
20:37:37.208944 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 285, length 9
20:37:37.385490 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 221, length 9
20:37:37.386374 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 221, length 9
20:37:37.750510 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 286, length 9
20:37:37.750521 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 286, length 9
20:37:37.903056 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 222, length 9
20:37:37.903983 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 222, length 9
20:37:38.267620 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 287, length 9
20:37:38.267631 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 287, length 9
20:37:38.443913 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 223, length 9
20:37:38.444875 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 223, length 9
20:37:38.808727 IP 10.10.100.1 > 10.10.100.2: ICMP echo request, id 27912, seq 288, length 9
20:37:38.808738 IP 10.10.100.2 > 10.10.100.1: ICMP echo reply, id 27912, seq 288, length 9
20:37:38.985254 IP 10.10.100.2 > 10.10.100.1: ICMP echo request, id 1375, seq 224, length 9
20:37:38.986199 IP 10.10.100.1 > 10.10.100.2: ICMP echo reply, id 1375, seq 224, length 9
      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @Alasdair
        last edited by

        @alasdair
        You have to state a certain IP address within the tunnel network in the client specific override (assuming the server is set to subnet topology).

        A 1 Reply Last reply Reply Quote 0
        • A
          Alasdair @viragomann
          last edited by

          @viragomann Where would I do this? Within the 'Advanced' settings?

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @Alasdair
            last edited by

            @alasdair
            2568bdee-a33a-4546-940c-4df14f56d383-grafik.png

            A 1 Reply Last reply Reply Quote 0
            • A
              Alasdair @viragomann
              last edited by Alasdair

              @viragomann Thank you - I have just made the change on the CSO, I've set 10.10.100.2/24 (and also tried 10.10.100.2/32), however, I am still having issues pinging from Site A to Site B.

              EDIT: It is worth noting that the client is getting an IP address.

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @Alasdair
                last edited by

                @alasdair
                It's pretty essential that the client get a certain IP for routing at all.
                Did he even get the IP you stated?

                Do you see the clients IP as gateway in the routing table for the remote network without having any static route set for it?

                A 1 Reply Last reply Reply Quote 0
                • A
                  Alasdair @viragomann
                  last edited by

                  @viragomann The client gets an IP, even if I set the Tunnel network of the CSO to 10.10.100.0/24. The IP the client gets is 10.10.100.2.

                  If I remove all of the static routes at both sides, yes, the routes appear correctly in the routing table.

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @Alasdair
                    last edited by

                    @alasdair said in Routing issue communicating over Site to Site VPN:

                    The client gets an IP, even if I set the Tunnel network of the CSO to 10.10.100.0/24. The IP the client gets is 10.10.100.2

                    As mentioned, you need to state a certain IP out of the tunnel, not the tunnel network itself for properly routing to the remote site. Otherwise we won't get any step beyond.

                    I assume with that setting you can ping any remote interface IP of pfSense which is included in the "Remote networks"?

                    But you cannot access other devices at the remote site?

                    A 1 Reply Last reply Reply Quote 0
                    • A
                      Alasdair @viragomann
                      last edited by

                      @viragomann To confirm, the 'IPv4 Tunnel Network' in the CSO, should be an IP outside of the tunnel? For example, 10.2.1.5?

                      From Diagnostics -> Ping, I get the following:

                      8260d615-207b-4746-9256-60d422712355-image.png

                      (Above - Server VPN interface pinging client router IP and visa versa).
                      So, I have partial success with Interface to Interface. Site B's router IP (client) can ping Site A's router IP(server), however, it doesn't work the other way around.

                      Between sites, I cannot ping Domain Controller A to Domain Controller B, and visa versa. Whereas, on the LAN's, I can ping between the hosts.

                      Essentially, the only thing working at the moment is the Client interface, pinging Site A's router IP from Site B's VPN interface. No other networking is working.

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        viragomann @Alasdair
                        last edited by

                        @alasdair said in Routing issue communicating over Site to Site VPN:

                        To confirm, the 'IPv4 Tunnel Network' in the CSO, should be an IP outside of the tunnel? For example, 10.2.1.5?

                        It has to be within the servers tunnel network and must be stated in CIDR, e.g. 10.10.10.36/32.

                        A 2 Replies Last reply Reply Quote 0
                        • A
                          Alasdair @viragomann
                          last edited by Alasdair

                          @viragomann I have set it to 10.10.100.3/32, and this has not worked.

                          EDIT: After setting the CSO tunnel IP to the above, the client is not getting the correct IP. It's still getting 10.10.100.2, even after restarting services at both ends.

                          1 Reply Last reply Reply Quote 0
                          • A
                            Alasdair @viragomann
                            last edited by

                            @viragomann I have fixed it!

                            I reconfigured the tunnel to be /30 (the error I was getting before was that 'allow duplicate connections' was enabled, and it failed to start due to this). I can now communicate between Site A and Site B.

                            Thank you for your patience whilst I troubleshooted this.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.