Site-to-site routing headaches



  • I'm setting up a site-to-site OpenVPN connection, and having some routing problems I'm hoping another pair of eyes can help with.

    Both VPN gateways are NAT routers and the default route for their particular networks.  The local, server end is pfSense, the remote, client end is Linux + shorewall.  The networks are assigned as follows:

    Local LAN: 192.168.100.0/24
    Remote LAN: 192.168.66.0/24

    The problem I'm having is machines on the 192.168.100.0/24 network can't talk to machines on the 192.168.66.0/24 network, and vice versa.  However, the VPN client itself can talk to the 192.168.100.0/24 network just fine.

    Routing table on the client:
    Destination Gateway Genmask Flags Metric Ref Use Iface
    192.168.65.6 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
    192.168.100.0 192.168.65.5 255.255.255.0 UG 0 0 0 tun0
    192.168.65.0 192.168.65.5 255.255.255.0 UG 0 0 0 tun0
    192.168.66.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
    128.95.232.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
    0.0.0.0 128.95.232.100 0.0.0.0 UG 0 0 0 eth1

    Routing table on the server (trimmed to just the relevant parts.)  There are no static routes, these are what OpenVPN and pfSense came up with:
    192.168.65.0/24 192.168.65.2 UGS 0 245 1500 tun0
    192.168.65.2 192.168.65.1 UH 2 0 1500 tun0
    192.168.66.0/24 192.168.65.2 UGS 0 133 1500 tun0

    Again, the issue is the VPN client itself can ping the 192.168.100.0/24 network, but 192.168.100.0/24 and 192.168.66.0/24 can't talk to each other.

    On the server I have 192.168.100.0/24 in the "Local network" slot, and 192.168.66.0/24 in the "remote network" slot.  The client VPN config is pretty simple:

    client
    dev tun
    proto udp
    remote xxx.xx.xxx.xx 1195
    resolv-retry infinite
    nobind
    user nobody
    group nobody
    persist-key
    persist-tun
    ca /etc/openvpn/keys/ca.crt
    cert /etc/openvpn/keys/mandrill.crt
    key /etc/openvpn/keys/mandrill.key
    


  • I should add that when I run tcpdump -i tun0 on the client, I see traffic to 192.168.100.0/24 being routed through it from the clients on 192.168.66.0/24.  But it never seems to come out the other end; it doesn't appear on the LAN at the server end.  This  makes me think there's something wrong with my pfSense configuration, but I'm not sure what.



  • So, I tried replacing the Linux+shorewall router with pfSense, to see if it was something strange with how I was configuring the Linux client.  Still no joy.  Then I tried using IPsec instead of OpenVPN, and it worked!  This may be the first time in history IPsec has actually made something easier. ;)


Locked