Site-to-Site traffic not flowing to OpenVPN users


  • Currently using a cisco pix connected to 2 other external sites via site-2-site vpn connections.

    Attempting to retire the pix and switch to a pfsense box

    We have got the pfsense 2.0.3 box running and talking to the other two sites fine.


    The only issue we have at present is that for remote users who connect into our office network via OpenVPN they do not get any access to the existing site-2-site vpn conections. The OpenVPN users are able to access resources on the Office network only but not to any other sites that have a site-2-site vpn connection established on the pfsense box.

    In the attached image our office network is running on subnet 192.168.10.0/24.

    From within the 192.168.10.* network the users are able to access all other VPN sites 192.168.160.0/24 and 192.168.168.180.0/24

    When users dial into the office VPN using OpenVPN they get assigned an IP address from the 192.168.11.0/24 network.

    The OpenVPN users are able to access resources on the 192.168.10.0 network but are unable to access the other VPN sites 192.168.160.0/24 and 192.168.168.180.0/24 .

    I have allowed the 192,168.11.0 network in the firewall rules however it still does not work.

    I suspect it is a NAT issue but so far have been unable to resolve it.

    Any suggestions on how to debug and resolve this issue?

    Regards
    Sanjay


  • After establishing the VPN connection to the Office network and then trying to perform a traceroute to one of the other site-2-site vpn subnets i see that the traffic is going out of my Office WAN interface.

    Any ideas how I can get my pfsense box to route/NAT the traffic originating on the OpenVPN connection out to the other site to site subnets?

    /sanjay


  • After establishing the VPN connection to the Office network and then trying to perform a traceroute to one of the other site-2-site vpn subnets i see that the traffic is going out of my Office WAN interface.

    That seems weird, because pfSense definitely knows routes to site A & B since it routes the local LAN there OK.
    On pfSense 2.0.3 you will have to push routes for Site A & B to the clients, using the Advanced box. It sounds like you must have done that already. On pfSense 2.1 you can put a list of networks in the Local Network/s field to achieve that.
    Similarly, you will have to push a route for 192.168.11.0/24 to the Cisco's at Site A & B.
    Use Diagnostics->Routes to see what routes pfSense knows about and to where.
    And do you have any policy-based firewall rules that might be matching traffic first and forcing it out WAN?


  • Dear Phil,
    Thanks for the reply.

    After researching the issue on the net for awhile i stumbled on a post that mentioned that for pfsense 2.0.3 you need to add a Phase 2 configuration with the additional VPN networks.

    PFsense->VPN->IPsec->Tunnels
    Click + to show the Phase 2 entries on each IPSec tunnel and then click + to add a new Phase 2 entry with the VPN address pool.

    After doing the above the setup is now working perfectly

    Thanks

    /sanjay


  • I have the same issue.

    Sanjay in your exampe, which VPN Address pool you added in the Phase 2 entry?

    Thanks