4. Site-to-site routing headaches

Site-to-site routing headaches

  • D

    I'm setting up a site-to-site OpenVPN connection, and having some routing problems I'm hoping another pair of eyes can help with.

    Both VPN gateways are NAT routers and the default route for their particular networks.  The local, server end is pfSense, the remote, client end is Linux + shorewall.  The networks are assigned as follows:

    Local LAN: 192.168.100.0/24
    Remote LAN: 192.168.66.0/24

    The problem I'm having is machines on the 192.168.100.0/24 network can't talk to machines on the 192.168.66.0/24 network, and vice versa.  However, the VPN client itself can talk to the 192.168.100.0/24 network just fine.

    Routing table on the client:
    Destination Gateway Genmask Flags Metric Ref Use Iface
    192.168.65.6 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
    192.168.100.0 192.168.65.5 255.255.255.0 UG 0 0 0 tun0
    192.168.65.0 192.168.65.5 255.255.255.0 UG 0 0 0 tun0
    192.168.66.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
    128.95.232.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
    0.0.0.0 128.95.232.100 0.0.0.0 UG 0 0 0 eth1

    Routing table on the server (trimmed to just the relevant parts.)  There are no static routes, these are what OpenVPN and pfSense came up with:
    192.168.65.0/24 192.168.65.2 UGS 0 245 1500 tun0
    192.168.65.2 192.168.65.1 UH 2 0 1500 tun0
    192.168.66.0/24 192.168.65.2 UGS 0 133 1500 tun0

    Again, the issue is the VPN client itself can ping the 192.168.100.0/24 network, but 192.168.100.0/24 and 192.168.66.0/24 can't talk to each other.

    On the server I have 192.168.100.0/24 in the "Local network" slot, and 192.168.66.0/24 in the "remote network" slot.  The client VPN config is pretty simple:

    client
dev tun
proto udp
remote xxx.xx.xxx.xx 1195
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/mandrill.crt
key /etc/openvpn/keys/mandrill.key
    0
  • D

    I should add that when I run tcpdump -i tun0 on the client, I see traffic to 192.168.100.0/24 being routed through it from the clients on 192.168.66.0/24.  But it never seems to come out the other end; it doesn't appear on the LAN at the server end.  This  makes me think there's something wrong with my pfSense configuration, but I'm not sure what.

    0
  • D

    So, I tried replacing the Linux+shorewall router with pfSense, to see if it was something strange with how I was configuring the Linux client.  Still no joy.  Then I tried using IPsec instead of OpenVPN, and it worked!  This may be the first time in history IPsec has actually made something easier. ;)

    0
Locked
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy