Site to Site VPN Issues



  • I have a set up which is defined as follows:-

    Server 1 LAN: 192.168.146.0/24
    Client 1 LAN: 192.168.147.0/24
    VPN subnet: 10.0.8.0/24

    Server 1 is a network operating in one location where pfsense is doing NAT.
    Client 1 is a network operating in another location (again pfsense is doing NAT).

    Both have static public IP's with DHCP going on internally, both are operating in corporate data-centres and are therefore going to have limited QOS/packet inspection occuring (we're not going through a retail internet connection, for example).

    The site-to-site VPN is currently limited to a single pfsense client connecting to server 1. This site to site VPN is operating correctly using TCP. Both the server and client networks have road-warrior VPN's setup which are separate from the site-to-site VPN and are used by management laptops using standard 1124 TCP port. These are working correctly.

    Due to the operating requirements of these networks all VPN connections must use PKI.

    When the site-to-site VPN is setup under TCP there are no issues, when it is setup using UDP, the VPN gateway is ignored, and the request jumps to the data-centre gateway effectively ignoring all vpn routing. If possible I would like to switch the site-to-site vpn to use UDP so:-

    • The road warrior VPN's continue to use TCP unchanged

    • The site-to-site VPN with the issue with udp can use UDP (for the performance gains).

    When I have attempted to change this previously, I have also altered NAT table including AON configuration, firewall rules and the configuration in openvpn.

    The site to site vpn uses port 1295 so not to conflict with the road-warrior vpns and uses the custom options to specify iroutes, and routes in the server config and client specific configuration respectively. I am using vmware distribution of the 1.2.3 stable version of pfsense on both router boxes.

    I would be appreciative is anyone could shed any light on why UDP may not work in this situation (even if it is likely just down to my ISP's setup), or any possible reasons as to the issues I am facing.

    Many Thanks for your patience in reading this.


Locked