Site to Site IPsec VPN
-
Good morning,
I am a newbie to PFSense and need a little help with a site to site vpn. Both are PFSense 1.2.3.
It looks like I have the tunnel established as it is showing up under the status-ipsec overview page.
Subnet in site A (dmz) is 172.16.1.0/24 and site B (lan) is 172.16.2.0/24. Site B has only two physical interfaces WAN and LAN while site A has three - WAN, LAN and DMZ.
From the diagnostics menu I can ping from site A to a host in site B using the dmz interface and from site B to a host in site A using the lan interface. When trying from the LAN interface at site A I get strange routing:
PING 172.16.2.221 (172.16.2.221) from 10.5.1.1: 56 data bytes
92 bytes from 198-178-12-5.denver.co.biz.comcast.net (198.178.12.5): Time to live exceeded
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 78f3 0 0000 01 01 86c3 10.5.1.1 172.16.2.221(10.5.1.1 is the IP of the LAN interface on site A). I also get this same routing issue if I try to traceroute from a host on the LAN in site A. Also cannot ping from a host on the site A DMZ to any host in site B.
In the IPSec setup I have selected the "network" option for the local subnet since there is no dmz option. Could this be where I have gone wrong?
Any guidance would be appreciated.
Thank you.
Scott Oyer -
you cant access networks over a vpn from pfsense itself by default, it looks like thats what you are doing.
try from another computer
-
Does not matter if from pfsense or workstation on my LAN here at site A - cannot connect to site B via IPSEC VPN.
Scott
-
post your config/firewall rules (black out the first 2 octets for every IP address for your security)
-
Hi,
there is only a tunnel between Site A 172.16.1.0/24 and site B (lan) 172.16.2.0/24!
ping failed because of missing tunnel. Ipsec is not routed.
U need to add parallel tunnel on both sites for Network 10.5.1.0.
Site A 10.5.1.0/24 (lan) <–-> site B (lan) 172.16.2.0/24
If u want to route VPN traffic use OpenVPN.
you cant access networks over a vpn from pfsense itself by default, it looks like thats what you are doing.
Yes, thats caused by Freebsd ipsec implementation.
u need to set source ip (interface) or u need to define a static route.
Remember Lan ip must match tunneldefinition to work.
ping -S <lan ip=""></lan>cya