Problem routing to IPsec tunnel

  • I posted most of this in the IPsec forum yesterday, but I think it is more of a routing problem.  Hoping someone can help me here.

    pfSense 2.2.2 (tried 2.2.3 as well)
    Three networks, one at the office, one at a colo facility, one at Rackspace
    Dumb Linux router connects to office subnet to colo subnet over MPLS
    pfSense box at colo connects to Vyatta at Rackspace via IPsec

    On the colo subnet we can fully connect to the servers at Rackspace through the IPsec connection.  On the Rackspace network we can fully connect to both the Colo and office subnet through the IPsec.
    On the office subnet we can ping hosts on the Rackspace subnets, nothing else.

    A packet capture shows that ICMP from a host on the office network does exactly what is expected.  When I try to SSH from the same system it never shows up in the IPsec capture, just the LAN capture. It seems to die right there. Nothing in the firewall logs to indicate the connection was blocked.

    From a system at Rackspace I can ping and SSH to everything, which makes me think IPsec phase 1 and 2 are configured correctly. I am going to assume there is something I need to do to get the packets to route from the office network, through the IPsec tunnel. The pfsense is not on the same subnet as the office subnet which is probably the cause of the whole problem, but I just cannot get it figured out.

    I tried adding an OpenVPN connection from the office to the Colo but had the same problem - could communicate with the pfsense system and its network but not the IPsec tunnel. Not sure what else I can do at this point.  Can anyone point me in the right direction?

  • Here's my guess:  most VPN tunnels have a range of addresses that each endpoint can connect to. One of the ends of your VPN tunnels may not be routing past that address scope.

    Also, it might be easier to use one router at the colo to manage all of the routes. Just an engineering thing. I'm always trying to reduce the equation to something simpler.

  • The range of addresses that are accessible via the tunnel are configured in the VPN configuration already.  They include the range I am trying to access.

    The one router at the colo is the end goal, but for the next 6-8 weeks I have to live with the current configuration.

    Thanks for your help.

Log in to reply