Can't get Site-to-Site (shared key) to work



  • I can't get a site-to-site VPN between two pfSense boxes to work.

    I'm using UDP/tun mode. On one end (box 1 / vpn server), I have the 172.17.10.0/24 subnet. On the other (box 2 / vpn client) there's 172.20.0.0/16. The VPN shows as UP on both machines. However, I'm only seeing a route to the remote network on box 2. Box 1 doesn't have any route to the network behind box 2. Instead, there's an error message in the log:

    openvpn[4402]: ERROR: FreeBSD route add command failed: external program exited with error status: 1

    I set tunnel network to 192.168.225.0/30, only one connection is allowed. Local Network on box 1 is 172.17.10.0/24. Remote Network is 172.20.0.0/16. Local network on box2 is 172.20.0.0/16, remote network is set to 172.17.10.0/24.

    I've been trying the whole afternoon, deleted the VPNs, reconfigured it, tried tap instead of tun….I even tried adding static routes - it just won't work, and I don't get it at all.

    What am I doing wrong?



  • Your network numbers look fine.
    From cmb at http://forum.pfsense.org/index.php/topic,34858.msg181292.html#msg181292

    The only time I've ever seen route errors is when you incorrectly have static routes defined that overlap with routes from OpenVPN.

    and other googling indicates that the route it is trying to add to the network at the other end probably already appears in the routing table. Do you have any static routes defined? or other routing-related settings somewhere?



  • Nope, no static routes. A default gateway on each end, that's about it.



  • Post the server.conf from both sides.



  • I got it to work by either a) configuring a static IP on the ovpns interface or b) adding the line 'ifconfig 192.168.225.1 192.168.225.2' to the server config options. Both at the same time does not work. The howto suggests that this shouldn't be needed.



  • Yeah, something's not right.  If you post your configs… we can figure it out.



  • Hi all,

    i guess that i have maybe have the same problem…
    We also have a site-to-site OpenVPN (pre-shared-keys) between two pfSense Boxes
    and i followed the instructions on the pfsense site to the letter!

    Everything looks prefectly fine... The routes are correct, the devices in the networks
    have on both sites have there pfsense box as default gateway and the VPN does establish
    direct when I hit the save button.

    BUT:

    • i can't ping from a device in network A to a device in network B.

    • i can't ping from a device in network B to a device in network A.

    • i can't ping from pfsenseGui in network A to a device in network B.

    • i can't ping from pfsenseGui in network B to a device in network A.

    • i can't ping from pfsenseGui in network A to the pfsense-box in network B.

    • i can't ping from pfsenseGui in network B to the pfsense-box in network A.

    However:

    • i can do a traceroute from pfsenseGui in network A to a device in network B.

    • i can do a traceroute from pfsenseGui in network B to a device in network A.

    • i can do a traceroute (ICMP only) from pfsenseGui in network A to the pfsense-box in network B.

    • i can do a traceroute (ICMP only) from pfsenseGui in network B to the pfsense-box in network A.

    • i can't a traceroute from pfsenseGui in network A to a turned-off-device in network B.

    • i can't a traceroute from pfsenseGui in network B to a turned-off-device in network A.

    Any idea what I am missing in my config?

    On both sites i have one rule in my OpenVPN tab: <empty>* * * * * * none <empty><desc>Thanks in advanced!</desc></empty></empty>



  • eases,
    Sorry, but I have to tell you the same thing I told gridrun…. post your configs.... without 'em... we're just guessing.



  • Good morning Marvosa,

    well… I was a little in a hurry to get pfSense working on a new location
    because our Cisco ASA couldn't handle the traffic anymore. And a long time
    ago we decided to replace our (Cisco) Routers with pfSense, but with the
    idea of more time and planning :-)

    I haven't found a solution for the problem I described, but a factory reset
    and a new start did the trick. Now I started with the VPN Tunnels and when
    this worked I started with all the other firewall rules.

    Posting my config is something I try no to, but I get it it's the only way to
    get some insight in the conflicting rule I probably made somewhere...

    But thanks for the help offering!

    @gridrun: Maybe a new start is also your solution?



  • eases,
    Glad it's working.  Don't be afraid to post your config (server.conf)… there's nothing unique to your site except for the public IP which everyone masks before they post.  Everything else is either standard in everyone's config or internal IP's that don't matter because they can't be routed over the internet.



  • Two different ALIX boards with pfSense 2.0.2, similar problem.
    This time its Peer-to-Peer (SSL/TLS) mode.

    Local Net Server: 192.168.10.0/24
    Remote Net Server: 192.168.20.0/24

    Local Net Client: 192.168.20.0/24
    Remote Net Client: 192.168.10.0/24

    Tunnel Network (identical on client and server): 192.168.254.0/30

    There are no additional openvpn config options given.
    There are no client specific overrides.
    There are no static routes defined.

    The tunnel is up, both tunnel IPs can be pinged from both sides.
    192.168.10.* can't ping 192.168.20.* and vice versa.
    Client has log entry: "ERROR: FreeBSD route add command failed: external program exited with error status: 1" twice. Server doesn't have this error.
    Client has log entry: "WARNING: using –pull/--client and --ifconfig together...". Server doesn't have this warning.
    Both server and client have "WARNING: Ifconfig is present in local but missing in remote..."



  • We backed up the config, then did a factory reset on those two machines. With nothing but LAN/WAN IPs and the VPN configured, everything works flawlessly as expected. Will see if we can find out the breaking difference by comparing the configs :-)


Log in to reply