Multiple vti routed ipsec tunnels an issue?
-
Hi,
I have a Netgate at the Headquarters and multiple branch Netgates.
Between the HQ and the branch offices there are standard ipsec tunnels.
Between the HQ and one branch I made a vti routed ipsec tunnel.This all works.
But now I need to change some standard ipsec tunnels to vti routed tunnels.
So yesterday I disabled a tunnel between HQ and branch X and created a vti routed tunnel for that setup and suddenly the internet was lost on both locations.... :(
Once I disabled the vti routed tunnel, internet was back.
What can this have caused??
-
@nick-loenders How are your gateways set up.
Default gateway should be your WAN interface
See mine.
-
@michmoor Hi, just back from that client.
The WAN ip on the pfsense is 192.168.1 at the branch office and the local network at the main office is also 192.168.1
that will probably have caused this...
Allthough another branch office worked (or I thought it worked) and now from home again looking into it as I needed another P2 on the tunnel and poof gone again....
All this because of the stupid Teams Voice they are using....
-
@nick-loenders The gateway sets to Automatic but when using VPNs and no Multi-WAN you have to make sure you set the default gateway otherwise you run the risk of the nexthop being the VPN which of course wont work if the Internet is down.
-
@michmoor Yes, but the default GW is set to the WAN gateway
on both devices. -
@nick-loenders said in Multiple vti routed ipsec tunnels an issue?:
The WAN ip on the pfsense is 192.168.1 at the branch office and the local network at the main office is also 192.168.1
Can you explain this?
Both sites have their LAN configured for 192.168.1.X ? -
@michmoor the internal network (LAN) at HQ is 192.168.1
The WAN ip at the branch get 192.168.1 from the ISP router/modem
-
@nick-loenders Ok so branch is using CGNAT. But the CGNAT WAN has the same IP addr as your other site.
Yeah i can see how that may cause a routing problem at the branch but dont see how the Internet is lost at the HQ..... -
@michmoor Yeah, we'll ask to change that iprange
But indeed when working remote, this looses internet, also at the HQ.
When I was trying at the HQ locally this morning, it did not get lost.... so weird
And just now on the branch it did seem to work when I left I came home and added a second P2 to the tunnel (and somehow I also saw the ipsec gateway was down in a glitch) it went down again....
it does not like me when I try to do thing from home apparently
When the local IT guy disabled the ipsec tunnel, internet was working again