Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem routing to IPsec tunnel

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      djinnsour
      last edited by

      I posted most of this in the IPsec forum yesterday, but I think it is more of a routing problem.  Hoping someone can help me here.

      pfSense 2.2.2 (tried 2.2.3 as well)
      Three networks, one at the office, one at a colo facility, one at Rackspace
      Dumb Linux router connects to office subnet to colo subnet over MPLS
      pfSense box at colo connects to Vyatta at Rackspace via IPsec

      Problem:
      On the colo subnet we can fully connect to the servers at Rackspace through the IPsec connection.  On the Rackspace network we can fully connect to both the Colo and office subnet through the IPsec.
      On the office subnet we can ping hosts on the Rackspace subnets, nothing else.

      A packet capture shows that ICMP from a host on the office network does exactly what is expected.  When I try to SSH from the same system it never shows up in the IPsec capture, just the LAN capture. It seems to die right there. Nothing in the firewall logs to indicate the connection was blocked.

      From a system at Rackspace I can ping and SSH to everything, which makes me think IPsec phase 1 and 2 are configured correctly. I am going to assume there is something I need to do to get the packets to route from the office network, through the IPsec tunnel. The pfsense is not on the same subnet as the office subnet which is probably the cause of the whole problem, but I just cannot get it figured out.

      I tried adding an OpenVPN connection from the office to the Colo but had the same problem - could communicate with the pfsense system and its network but not the IPsec tunnel. Not sure what else I can do at this point.  Can anyone point me in the right direction?

      1 Reply Last reply Reply Quote 0
      • T
        tim.mcmanus
        last edited by

        Here's my guess:  most VPN tunnels have a range of addresses that each endpoint can connect to. One of the ends of your VPN tunnels may not be routing past that address scope.

        Also, it might be easier to use one router at the colo to manage all of the routes. Just an engineering thing. I'm always trying to reduce the equation to something simpler.

        1 Reply Last reply Reply Quote 0
        • D
          djinnsour
          last edited by

          The range of addresses that are accessible via the tunnel are configured in the VPN configuration already.  They include the range I am trying to access.

          The one router at the colo is the end goal, but for the next 6-8 weeks I have to live with the current configuration.

          Thanks for your help.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.