Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't get Site-to-Site (shared key) to work

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 4 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gridrun
      last edited by

      I can't get a site-to-site VPN between two pfSense boxes to work.

      I'm using UDP/tun mode. On one end (box 1 / vpn server), I have the 172.17.10.0/24 subnet. On the other (box 2 / vpn client) there's 172.20.0.0/16. The VPN shows as UP on both machines. However, I'm only seeing a route to the remote network on box 2. Box 1 doesn't have any route to the network behind box 2. Instead, there's an error message in the log:

      openvpn[4402]: ERROR: FreeBSD route add command failed: external program exited with error status: 1

      I set tunnel network to 192.168.225.0/30, only one connection is allowed. Local Network on box 1 is 172.17.10.0/24. Remote Network is 172.20.0.0/16. Local network on box2 is 172.20.0.0/16, remote network is set to 172.17.10.0/24.

      I've been trying the whole afternoon, deleted the VPNs, reconfigured it, tried tap instead of tun….I even tried adding static routes - it just won't work, and I don't get it at all.

      What am I doing wrong?

      Tech stuff on my blog: http://niston.wordpress.com

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        Your network numbers look fine.
        From cmb at http://forum.pfsense.org/index.php/topic,34858.msg181292.html#msg181292

        The only time I've ever seen route errors is when you incorrectly have static routes defined that overlap with routes from OpenVPN.

        and other googling indicates that the route it is trying to add to the network at the other end probably already appears in the routing table. Do you have any static routes defined? or other routing-related settings somewhere?

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • G
          gridrun
          last edited by

          Nope, no static routes. A default gateway on each end, that's about it.

          Tech stuff on my blog: http://niston.wordpress.com

          1 Reply Last reply Reply Quote 0
          • M
            marvosa
            last edited by

            Post the server.conf from both sides.

            1 Reply Last reply Reply Quote 0
            • G
              gridrun
              last edited by

              I got it to work by either a) configuring a static IP on the ovpns interface or b) adding the line 'ifconfig 192.168.225.1 192.168.225.2' to the server config options. Both at the same time does not work. The howto suggests that this shouldn't be needed.

              Tech stuff on my blog: http://niston.wordpress.com

              1 Reply Last reply Reply Quote 0
              • M
                marvosa
                last edited by

                Yeah, something's not right.  If you post your configs… we can figure it out.

                1 Reply Last reply Reply Quote 0
                • E
                  eases
                  last edited by

                  Hi all,

                  i guess that i have maybe have the same problem…
                  We also have a site-to-site OpenVPN (pre-shared-keys) between two pfSense Boxes
                  and i followed the instructions on the pfsense site to the letter!

                  Everything looks prefectly fine... The routes are correct, the devices in the networks
                  have on both sites have there pfsense box as default gateway and the VPN does establish
                  direct when I hit the save button.

                  BUT:

                  • i can't ping from a device in network A to a device in network B.

                  • i can't ping from a device in network B to a device in network A.

                  • i can't ping from pfsenseGui in network A to a device in network B.

                  • i can't ping from pfsenseGui in network B to a device in network A.

                  • i can't ping from pfsenseGui in network A to the pfsense-box in network B.

                  • i can't ping from pfsenseGui in network B to the pfsense-box in network A.

                  However:

                  • i can do a traceroute from pfsenseGui in network A to a device in network B.

                  • i can do a traceroute from pfsenseGui in network B to a device in network A.

                  • i can do a traceroute (ICMP only) from pfsenseGui in network A to the pfsense-box in network B.

                  • i can do a traceroute (ICMP only) from pfsenseGui in network B to the pfsense-box in network A.

                  • i can't a traceroute from pfsenseGui in network A to a turned-off-device in network B.

                  • i can't a traceroute from pfsenseGui in network B to a turned-off-device in network A.

                  Any idea what I am missing in my config?

                  On both sites i have one rule in my OpenVPN tab: <empty>* * * * * * none <empty><desc>Thanks in advanced!</desc></empty></empty>

                  1 Reply Last reply Reply Quote 0
                  • M
                    marvosa
                    last edited by

                    eases,
                    Sorry, but I have to tell you the same thing I told gridrun…. post your configs.... without 'em... we're just guessing.

                    1 Reply Last reply Reply Quote 0
                    • E
                      eases
                      last edited by

                      Good morning Marvosa,

                      well… I was a little in a hurry to get pfSense working on a new location
                      because our Cisco ASA couldn't handle the traffic anymore. And a long time
                      ago we decided to replace our (Cisco) Routers with pfSense, but with the
                      idea of more time and planning :-)

                      I haven't found a solution for the problem I described, but a factory reset
                      and a new start did the trick. Now I started with the VPN Tunnels and when
                      this worked I started with all the other firewall rules.

                      Posting my config is something I try no to, but I get it it's the only way to
                      get some insight in the conflicting rule I probably made somewhere...

                      But thanks for the help offering!

                      @gridrun: Maybe a new start is also your solution?

                      1 Reply Last reply Reply Quote 0
                      • M
                        marvosa
                        last edited by

                        eases,
                        Glad it's working.  Don't be afraid to post your config (server.conf)… there's nothing unique to your site except for the public IP which everyone masks before they post.  Everything else is either standard in everyone's config or internal IP's that don't matter because they can't be routed over the internet.

                        1 Reply Last reply Reply Quote 0
                        • G
                          gridrun
                          last edited by

                          Two different ALIX boards with pfSense 2.0.2, similar problem.
                          This time its Peer-to-Peer (SSL/TLS) mode.

                          Local Net Server: 192.168.10.0/24
                          Remote Net Server: 192.168.20.0/24

                          Local Net Client: 192.168.20.0/24
                          Remote Net Client: 192.168.10.0/24

                          Tunnel Network (identical on client and server): 192.168.254.0/30

                          There are no additional openvpn config options given.
                          There are no client specific overrides.
                          There are no static routes defined.

                          The tunnel is up, both tunnel IPs can be pinged from both sides.
                          192.168.10.* can't ping 192.168.20.* and vice versa.
                          Client has log entry: "ERROR: FreeBSD route add command failed: external program exited with error status: 1" twice. Server doesn't have this error.
                          Client has log entry: "WARNING: using –pull/--client and --ifconfig together...". Server doesn't have this warning.
                          Both server and client have "WARNING: Ifconfig is present in local but missing in remote..."

                          Tech stuff on my blog: http://niston.wordpress.com

                          1 Reply Last reply Reply Quote 0
                          • G
                            gridrun
                            last edited by

                            We backed up the config, then did a factory reset on those two machines. With nothing but LAN/WAN IPs and the VPN configured, everything works flawlessly as expected. Will see if we can find out the breaking difference by comparing the configs :-)

                            Tech stuff on my blog: http://niston.wordpress.com

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.