Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Gateway to Gateway with IPSec not working

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mattsah
      last edited by

      Hi everyone.  I would greatly appreciate anyone who can help with this as it's seriously confusing me.

      I have a very simple setup, with two private networks, A and B.  Where A is 192.168.1.0/24 and B is 192.168.2.0/24.

      These are connected together through IPSec.  Additionally on each gateway A and B I've added a rule to allow all traffic via the IPSec interface.  Every system behind gateway A is able to access every system behind gateway B including gateway B itself, and every system behind gateway B is able to access every system behind gateway A including gateway A itself.  However, any and all attempts directly between gateway A to gateway B using the private addresses fail.

      Examples:

      System 192.168.1.125 behind gateway A (192.168.1.1) can ssh, https, and hit the DNS forwarder on gateway B (192.168.2.1) and any system behind gateway B (barring they don't have their own firewalls).
      However, gateway A (192.168.1.1) cannot ssh, https, or hit the DNS forwarder on gateway B (192.168.2.1) directly.  It can't even ping or traceroute or anything.

      What I am trying to achieve here is cross domain DNS forwarding where any system on network A using gateway A as it's DNS.  Gateway A in turn uses the domain override (ex. b.in.example.com) to say oh no, this host (ex. host.b.in.example.com) needs to be resolved via gateway B (192.168.2.1), as well as the exact opposite.  The problem is, when a client on network A hits up gateway A's DNS forwarder, the DNS forwarder tries to get the answer from gateway B but cannot connect.

      If I do dig @192.168.2.1 <network b="" fqhn="">from a system on network A that is not the gateway, it works fine.  I'm at a loss here, and I need this done yesterday!</network>

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • M
          mattsah
          last edited by

          Ok, I think this solved it.  Thanks!

          1 Reply Last reply Reply Quote 0
          • M
            mattsah
            last edited by

            I spoke too soon.  While the link you provided is correct in that this will allow the gateway to directly connect to systems on the others side of the VPN, it also appears to be causing routing issues for every box that is not the gateway when it's enabled.

            Prior to adding the static route according to the link, I can ping any system (on B network) from my desktop (on A network), however, any attempt to ping a system (on B network) from the gateway (on A network) itself will fail.

            If I then add the route, I can ping any systems (on B network) from the gateway (on A network), but my desktop (on A network) can no longer ping any systems (on B network).  I have noticed that sometimes it appears as though one packet "slips by" but from that point on it's destination host unreachable… oddly, the response is coming from my desktop's IP (not any gateway).

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.