Routing to other subnets
I'm attempting to do a 'site to site' VPN setup. I've attached my topology here…
I made a few changes to the pic, instead of the "VPN Server / Ubuntu VM", it's a pfSense box, and instead of the vpn client / ubuntu, it's another pfsense box.
I've attempted to do this with openvpn on ubuntu and failed. THen I tried openvpn on pfsense, and it didn't work out as well. So now I tried ipsec and still having the same problems.
The problem is that I can't ping/access any other machines that aren't on the 140 subnet. Everything on the 140 net is fine, it's just that when I try to ping elsewhere (192.168.102.1, 192.168.1.1, etc), it fails.
I have a feeling that I have to add a route to the pfsense box. I tried this, but I don't think I'm doing it right. Can somebody give a suggestion on how to accomplish this?
Are you able to cross the VPN tunnel? If so, I think you are right, you'll have to set up a route to get the two subnets talking to each other. Make sure you have a rule set to allow the packets through on the vpn interfaces, and make sure you have Block Private networks unchecked.
My guess is you either don't have a route between subnets or the firewall is scrubbing private ip addresses. Strictly speaking, private ips aren't supposed to be routable.
Thank you so much for the reply!
I'm going to look at it today again and see if I can't get this thing working. I have a funny feeling that it might be a firewall issue, or maybe a NAT thing. I also have the block private nets unchecked. Found that out the hard way awhile ago. :)
Back to tcpdump!
Thanks for the help. Hopefully I can get this thing working today!
OK, I did a little more troubleshooting, and here's what's going on…
On my topology map, in the "VPN Client / Ubuntu" box, which is now pfsense, I can see ping's on eth1, but I do not see them getting forward to eth0 to subnets other than vlan140. So, somewhere, the connection breaks from eth1 to eth0 on the VPN Client. I tried to add a route, but I'm not exactly sure what the router for the ipsec tunnel is.
Another thing is that in the ipsec configs, I have a "phase 2" network of 192.168.140.0/24. If I try to add another 'phase 2' network of 192.168.1.0/24, that network doesn't connect and errors out on the ipsec VPN server. I also checked and firewall rules are NOT blocking the traffic. I set the rules to log, and I can see the icmp ping, and it's passing.
I believe it's a routing problem now. But, how in the world do you add a route to another network on an IPSEC tunnel? I also tried to use the ipsec endpoint IP as the router/gateway, but no dice.
so if i'm reading you right, if you are on 102, trying to get to a non 140 address, it fails? I'm no expert on IPSec by any means, but perhaps it's going something like this. 120 crosses the tunnel to get to 140, that works properly, 102 tries to get to 120, it doesn't have a route, it doesn't know to cross the tunnel to get there, which makes sense, because the tunnel is serving 102 to 140. maybe set a route at the endpoints of the tunnel?
I'm picturing something like this:
102 tries to reach 120 –> route 102 to 140 -> ---tunnel--- 140 route to 120
120 talks back to 102 --> route 120 to 140 -> ---tunnel--- 140 route to 102