• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OSPF learned routes not passing packets for one VTI partner

Scheduled Pinned Locked Moved Routing and Multi WAN
1 Posts 1 Posters 421 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    Thale
    last edited by Apr 3, 2023, 4:32 PM

    Let me start by saying that I feel like I'm missing something that's probably obvious, but I can't seem to figure out what.

    I have 4 sites with a spoke-and-wheel IPSEC VPN configuration. All locations are using pfSense 2.6.0. 3 of those sites are connected to each other with VTI tunnels and use FRR OSPF for dynamic routing, and those are working fine. Let's call those 3 sites B, C, and D. The 4th site, which we'll call A, would be considered the hub of the configuration. We currently have traditional IPSEC tunnels between A and 2 of the other sites, B and D. The traditional IPSEC tunnels are what we want to replace. Site A is already connected with a VTI tunnel to Site C, which is also working fine.

    I am trying to turn on the VTI tunnel between site D and site A, and this is where the problem lies. The adjacency is established and the new routes are learned in IPSEC. The routes are distributed between the different FRR installs as well. The routes do make it into the routing table showing the VTI link between sites A and D. However, devices on the LAN for sites D and A cannot talk to each other. I can talk from sites A and D to both sites B and C, but not between A and D. I have closed all the states, restarted services, disconnected and reconnected the VTI tunnel between sites A and D, and still nothing. I have checked the firewall rules and don't see anything that would be blocking it. I can also ping from the pfSense router at both sites to the LAN at the other site. However, LAN devices at both sites still cannot access the other site.

    Is there something obvious I should be checking? Since both site A and D have working VTI connections to at least 1 other site, I would think that firewall rules should be fine unless a rule applied to this specific scenario or machine, but I haven't found any match like that among the rules. I'm at a bit of a loss. Anyone have a suggestion?

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received