Tunnel established, no traffic?
-
Hello Everyone:
I have two sites right now linked by pfSense systems. Both running 2.0.2-RELEASE (i386). I am using IPSEC to link the two sites and its working great for several months now.
However I'm trying to bring a third site onboard. The third site already has a modem there – it's a TP-Link TD-W8950ND which apparently supports IPSEC, so I thought why bother with the overhead of a third system if existing gear can be used to do the job. I set up both ends of the tunnel (one end pfSense 2.0.2, one end TP-Link TD-W8950ND). My networks are as follow:
SITE A: 10.1.1.0/24 <-- pfSense 2.0.2
SITE B: 10.1.2.0/24 <-- pfSense 2.0.2
SITE C: 10.1.4.0/24 <--- new site, TP-Link TD-W8950NDMy end goal is a star topology like this:
Setting everything up was easy enough. I used this guide from tp-link to help me. First, I built a tunnel from Site A 10.1.1.0/24 to Site C 10.1.4.0/24. The tunnel showed as "Up" (Green in Status:IPSEC), however I was not able to ping a host at site C from a host at site A, or vice versa. The pfSense Log showed many entries as below:
[Unknown Gateway/Dynamic]: DEBUG: 1 times of 1 bytes message will be sent to [...redacted...]
Google shows that the above error means incorrect local/remote network settings on the IPSEC configuration, but I checked it up and down multiple times and I am positive it is set correctly.
I tried everything to get it to work, but didn't have any luck. Then, I built a tunnel from site B 10.1.2.0/24 to site C 10.1.4.0/24 (for testing). Again getting the tunnel up was relatively straightfoward. Once pfSense reported the tunnel up, I was able to ping from a host at site C to a host at site B, and vice versa!
So how come it works from Site A -> B, but not From Site A -> C? But Site A -> C works. The firewall, hardware and IPSEC configurations at all sites are identical.
Any insight appreciated.
-
I assume the server is at Site A according to your diagram?
Do you have a rule set up in firewall for the interface involved to pass traffic?
Do you have a rule on the outbound NAT to pass the traffic on that domain to WAN?(I've noticed also, that links between two pfsense boxes seems easier and more sure fire than between pfsense and most other things)