Site-to-site routing headaches
I'm setting up a site-to-site OpenVPN connection, and having some routing problems I'm hoping another pair of eyes can help with.
Both VPN gateways are NAT routers and the default route for their particular networks. The local, server end is pfSense, the remote, client end is Linux + shorewall. The networks are assigned as follows:
Local LAN: 192.168.100.0/24
Remote LAN: 192.168.66.0/24
The problem I'm having is machines on the 192.168.100.0/24 network can't talk to machines on the 192.168.66.0/24 network, and vice versa. However, the VPN client itself can talk to the 192.168.100.0/24 network just fine.
Routing table on the client:
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.65.6 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.100.0 192.168.65.5 255.255.255.0 UG 0 0 0 tun0
192.168.65.0 192.168.65.5 255.255.255.0 UG 0 0 0 tun0
192.168.66.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
184.108.40.206 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 220.127.116.11 0.0.0.0 UG 0 0 0 eth1
Routing table on the server (trimmed to just the relevant parts.) There are no static routes, these are what OpenVPN and pfSense came up with:
192.168.65.0/24 192.168.65.2 UGS 0 245 1500 tun0
192.168.65.2 192.168.65.1 UH 2 0 1500 tun0
192.168.66.0/24 192.168.65.2 UGS 0 133 1500 tun0
Again, the issue is the VPN client itself can ping the 192.168.100.0/24 network, but 192.168.100.0/24 and 192.168.66.0/24 can't talk to each other.
On the server I have 192.168.100.0/24 in the "Local network" slot, and 192.168.66.0/24 in the "remote network" slot. The client VPN config is pretty simple:
client dev tun proto udp remote xxx.xx.xxx.xx 1195 resolv-retry infinite nobind user nobody group nobody persist-key persist-tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/mandrill.crt key /etc/openvpn/keys/mandrill.key
I should add that when I run tcpdump -i tun0 on the client, I see traffic to 192.168.100.0/24 being routed through it from the clients on 192.168.66.0/24. But it never seems to come out the other end; it doesn't appear on the LAN at the server end. This makes me think there's something wrong with my pfSense configuration, but I'm not sure what.
So, I tried replacing the Linux+shorewall router with pfSense, to see if it was something strange with how I was configuring the Linux client. Still no joy. Then I tried using IPsec instead of OpenVPN, and it worked! This may be the first time in history IPsec has actually made something easier. ;)