Site to Site IPsec VPN



  • Good morning,

    I am a newbie to PFSense and need a little help with a site to site vpn. Both are PFSense 1.2.3.

    It looks like I have the tunnel established as it is showing up under the status-ipsec overview page.

    Subnet in site A (dmz) is 172.16.1.0/24 and site B (lan) is 172.16.2.0/24. Site B has only two physical interfaces WAN and LAN while site A has three - WAN, LAN and DMZ.

    From the diagnostics menu I can ping from site A to a host in site B using the dmz interface and from site B to a host in site A using the lan interface. When trying from the LAN interface at site A I get strange routing:

    PING 172.16.2.221 (172.16.2.221) from 10.5.1.1: 56 data bytes
    92 bytes from 198-178-12-5.denver.co.biz.comcast.net (198.178.12.5): Time to live exceeded
    Vr HL TOS  Len  ID Flg  off TTL Pro  cks      Src      Dst
    4  5  00 5400 78f3  0 0000  01  01 86c3 10.5.1.1  172.16.2.221

    (10.5.1.1 is the IP of the LAN interface on site A). I also get this same routing issue if I try to traceroute from a host on the LAN in site A. Also cannot ping from a host on the site A DMZ to any host in site B.

    In the IPSec setup I have selected the "network" option for the local subnet since there is no dmz option. Could this be where I have gone wrong?

    Any guidance would be appreciated.

    Thank you.
    Scott Oyer



  • you cant access networks over a vpn from pfsense itself by default, it looks like thats what you are doing.

    try from another computer



  • Does not matter if from pfsense or workstation on my LAN here at site A - cannot connect to site B via IPSEC VPN.

    Scott



  • post your config/firewall rules (black out the first 2 octets for every IP address for your security)



  • Hi,

    there is only a tunnel between Site A 172.16.1.0/24 and site B (lan) 172.16.2.0/24!

    ping failed because of missing tunnel. Ipsec is not routed.

    U need to add parallel tunnel on both sites for Network 10.5.1.0.

    Site A 10.5.1.0/24 (lan) <–-> site B (lan) 172.16.2.0/24

    If u want to route VPN traffic use OpenVPN.

    you cant access networks over a vpn from pfsense itself by default, it looks like thats what you are doing.

    Yes, thats caused by Freebsd ipsec implementation.

    u need to set source ip (interface) or u need to define a static route.

    Remember Lan ip must match tunneldefinition to work.

    ping -S <lan ip=""></lan> 
    

    cya


Log in to reply