Openvpn site to site problem
-
Hi,
i have a problem with a vpn site to site psk with 2 pfsense 2.0.1.
My problem is that from the firewall everything looks correct, i can ping or ssh the remote client ( i use linux client with no personal
firewall).
But from the clients i can't reach the remote lan. I don't know where is my problem, i try to rewrite the configuration a
lot of times.This is my configuration ( without public ip and psk ) :
lan1 192.168.9.0 <–-> pfsense1 <--> pfsense2 <--> lan 2 192.168.8.0
pfsense2 - server:
server mode: peer to peer ( shared key )
Protocol : udp
Device : tun
Tunnel network: 10.0.8.0/24
Local Network : 192.168.8.0/24
Remote network: 192.168.9.0/24
Compression : LZOpfsense1 - client:
server mode: peer to peer ( shared key )
Protocol: udp
Device: tun
Tunnel network: 10.0.8.0/24
Remote Network : 192.168.8.0/24
Compression : LZOThis are my routing from firewall ( without public ip ):
pfsense 1 - client:
10.0.8.1 link#10 UH 0 15 ovpnc2
10.0.8.2 link#10 UHS 0 0 lo0
192.168.8.0/24 10.0.8.1 UGS 0 45 ovpnc2
192.168.9.0/24 link#2 U 0 37598040 em1pfsense 2 - server:
10.0.8.1 link#9 UHS 0 0 lo0
10.0.8.2 link#9 UH 0 72 ovpns1
192.168.8.0/24 link#2 U 0 229122 em1
192.168.8.1 link#2 UHS 0 0 lo0
192.168.9.0/24 10.0.8.2 UGS 0 1 ovpns1My firewall in both side is set to pass any protocol for openvpn device.
Could you help me?
Thanks in advance.
-
initial configuration looks ok i guess
post screenshots of your firewall rules please.
also packet captures can help figuring out where it goes wrong -
Thanks for your help.
I modified the configuration to use the certificates and client specific overrides but i have the same problem.
I can ping ( or ssh ) from the firewalls but not from the clients in the two networks.This is my network:
lan1 192.168.9.0 <–-> pfsense1 (client openvpn) <--> pfsense2 (server openvpn) <--> lan 2 192.168.8.0
This are now with certificates my configuration:
Pfsense server:
/var/etc/openvpn/server1.conf
dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local X.X.X.X
tls-server
ifconfig 10.0.8.1 10.0.8.2
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1195
management /var/etc/openvpn/server1.sock unix
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
comp-lzo
route 192.168.9.0 255.255.255.0
push "route 192.168.8.0 255.255.255.0"/var/etc/openvpn-csc/fw-target
iroute 192.168.9.0 255.255.255.0
Pfsense client:
/var/etc/openvpn/client2.conf
dev ovpnc2
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_client2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local X.X:X.X
tls-client
client
lport 0
management /var/etc/openvpn/client2.sock unix
remote X.X.X.X 1195
ifconfig 10.0.8.2 10.0.8.1
route 192.168.8.0 255.255.255.0
ca /var/etc/openvpn/client2.ca
cert /var/etc/openvpn/client2.cert
key /var/etc/openvpn/client2.key
comp-lzoIn Firewall/Rules Tab OpenVPN i have a rule: pass, any, any, any.
In Firewall/Rules Tab Lan i have a rule: pass, any, any, any.Thanks for your help.
-
Another information.
If from a client in lan i do:
ping 192.168.8.10 ( a client in the other network)
And in pfsense (client openvpn):
tcpdump -i ovpnc2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ovpnc2, link-type NULL (BSD loopback), capture size 96 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernelI can't see any packet. It Is like the packets is not routed under the tunnel.
But i don't know why and how fix the problem.If i use the command:
tcpdump -i pflog0 icmp
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
0 packets capturedI can't see any packets blocked by the firewall.
Thanks for your help.
-
so basically:
ping from pfsense1 lan interface –-> pfsense2 lan-client OK ?
ping from pfsense2 lan interface ---> pfsense1 lan-client OK ?
ping from pfsense1 lan-client ---> pfsense 2 lan-client NOT OK ?
ping from pfsense2 lan-client ---> pfsense 1 lan-client NOT OK ?if that is the case, then you probably do not have the apropriate firewall rules on your LAN tab on both ends of the tunnel.
You need a firewall rule on LAN that allows traffic to destination with gateway *
-
Thanks for your help.
ping from pfsense1 lan interface –-> pfsense2 lan-client OK
ping from pfsense2 lan interface ---> pfsense1 lan-client OK
ping from pfsense1 lan-client ---> pfsense 2 lan-client OK
ping from pfsense2 lan-client ---> pfsense 1 lan-client OKFrom the pfsense1 or 2 is all ok! I can ping or ssh every machine in the 2 network.
The problem is only when from a computer in one network i need to access to a computer in the other network.
ping from a server in lan 1 --> to a server in lan 2 NOT OK
ping from a server in lan 2 --> to a server in lan 1 NOT OK -
Based on the info you provided, I'd focus on the routing table on the LAN1/2 clients …
-
I think the netmask of the tunnel network needs to be /31 please give it a try.
Thanks for your help.
ping from pfsense1 lan interface –-> pfsense2 lan-client OK
ping from pfsense2 lan interface ---> pfsense1 lan-client OK
ping from pfsense1 lan-client ---> pfsense 2 lan-client OK
ping from pfsense2 lan-client ---> pfsense 1 lan-client OKFrom the pfsense1 or 2 is all ok! I can ping or ssh every machine in the 2 network.
The problem is only when from a computer in one network i need to access to a computer in the other network.
ping from a server in lan 1 --> to a server in lan 2 NOT OK
ping from a server in lan 2 --> to a server in lan 1 NOT OK