Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN site-to-site: Error ping between networks

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 2 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mantunespb
      last edited by

      Hi,

      I am with a VPN using OpenVPN. In the figures below shows how I am totally using even with the settings in pfsense.

      The problem is only in connectivity between the sides of the VPN. The computer B achieves a ping not in the network or vice versa in the method Site-to-Site.

      However pfsense the Server and Client pfsense to ping usually between networks A and B without any problems, including connecting a computer using clint-to-site he achieves a ping.

      – I have no route static created on servers pfsense.

      -- The computers are all disabled the Firewall in Windows XP.

      Please presciso of help.

      Thanks
      OpenVPN-Site-to-Site.png
      OpenVPN-Site-to-Site.png_thumb
      OpenVPN-Client-to-Site.png
      OpenVPN-Client-to-Site.png_thumb

      1 Reply Last reply Reply Quote 0
      • M
        mantunespb
        last edited by

        ….

        Continuing .. settings servers pfsense

        pfsense-Server.GIF
        pfsense-Server.GIF_thumb
        pfsense-Client.GIF
        pfsense-Client.GIF_thumb

        1 Reply Last reply Reply Quote 0
        • GruensFroeschliG
          GruensFroeschli
          last edited by

          i think i know what your problem is:
          The field "local network" is used to push the route to your local network to the connecting client.
          Since your connecting client represents a whole network, you need to add to the server config a command that adds an entry for this subnet to your server routing table, that points to the connecting client.

          You might want to take a look at the man page of openVPN.
          If i remember correctly the iroute command will help you with this.

          Use for this the tab "Client-specific configuration" since you want the route for this subnet added dynamically depending on with which IP the client connects.

          @man-page:

          –iroute network [netmask]
              Generate an internal route to a specific client. The netmask parameter, if omitted, defaults to 255.255.255.255.

          This directive can be used to route a fixed subnet from the server to a particular client, regardless of where the client is connecting from. Remember that you must also add the route to the system routing table as well (such as by using the –route directive). The reason why two routes are needed is that the --route directive routes the packet from the kernel to OpenVPN. Once in OpenVPN, the --iroute directive routes to the specific client.

          This option must be specified either in a client instance config file using --client-config-dir or dynamically generated using a --client-connect script.

          The --iroute directive also has an important interaction with --push "route ...". --iroute essentially defines a subnet which is owned by a particular client (we will call this client A). If you would like other clients to be able to reach A's subnet, you can use --push "route ..." together with --client-to-client to effect this. In order for all clients to see A's subnet, OpenVPN must push this route to all clients EXCEPT for A, since the subnet is already owned by A. OpenVPN accomplishes this by not not pushing a route to a client if it matches one of the client's iroutes.

          Alternatively (and i think that this would be a better solution), you setup a site-to-site connection with a shared key to connect your two networks, and a second VPN server to which your mobile clients can connect.

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • M
            mantunespb
            last edited by

            I may not have been clearer. What I want is to make a site-to-site without the need to take connecting customers. The problem is that I do not know how to Network Viewing (ping) the B network through VPN. If the problem is how do routas

            Anyone can help me, mentioning the routes needed.

            Thanks

            1 Reply Last reply Reply Quote 0
            • GruensFroeschliG
              GruensFroeschli
              last edited by

              I think you do not understand how OpenVPN works….
              OpenVPN adds the needed routes dynamically.

              If you want only site-to-site then you should definitly go with the secnd solution and use a Shared Key.
              Please read the HowTo's on http://openvpn.net or one of the guides that exist.
              (also try to search the forum. there are quite a few people with you kind of setup).

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • M
                mantunespb
                last edited by

                Problem solved

                Have make the interconnection of networks through the use of shared key as its aid for site-to-site, I thought that if used certificates, that was the problem, not Tuesday ping between networks A and B.

                Thanks to all

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.