Gateway to Gateway with IPSec not working

  • Hi everyone.  I would greatly appreciate anyone who can help with this as it's seriously confusing me.

    I have a very simple setup, with two private networks, A and B.  Where A is and B is

    These are connected together through IPSec.  Additionally on each gateway A and B I've added a rule to allow all traffic via the IPSec interface.  Every system behind gateway A is able to access every system behind gateway B including gateway B itself, and every system behind gateway B is able to access every system behind gateway A including gateway A itself.  However, any and all attempts directly between gateway A to gateway B using the private addresses fail.


    System behind gateway A ( can ssh, https, and hit the DNS forwarder on gateway B ( and any system behind gateway B (barring they don't have their own firewalls).
    However, gateway A ( cannot ssh, https, or hit the DNS forwarder on gateway B ( directly.  It can't even ping or traceroute or anything.

    What I am trying to achieve here is cross domain DNS forwarding where any system on network A using gateway A as it's DNS.  Gateway A in turn uses the domain override (ex. to say oh no, this host (ex. needs to be resolved via gateway B (, as well as the exact opposite.  The problem is, when a client on network A hits up gateway A's DNS forwarder, the DNS forwarder tries to get the answer from gateway B but cannot connect.

    If I do dig @ <network b="" fqhn="">from a system on network A that is not the gateway, it works fine.  I'm at a loss here, and I need this done yesterday!</network>

  • Rebel Alliance Developer Netgate

  • Ok, I think this solved it.  Thanks!

  • I spoke too soon.  While the link you provided is correct in that this will allow the gateway to directly connect to systems on the others side of the VPN, it also appears to be causing routing issues for every box that is not the gateway when it's enabled.

    Prior to adding the static route according to the link, I can ping any system (on B network) from my desktop (on A network), however, any attempt to ping a system (on B network) from the gateway (on A network) itself will fail.

    If I then add the route, I can ping any systems (on B network) from the gateway (on A network), but my desktop (on A network) can no longer ping any systems (on B network).  I have noticed that sometimes it appears as though one packet "slips by" but from that point on it's destination host unreachable… oddly, the response is coming from my desktop's IP (not any gateway).

Log in to reply