Weird Site to Site Openvpn Problem



  • Hello to everyone,
    I'm experiencing a weird problem wit a multi-wan site-to-site OpenVpn.

    To make it short I can access from the client lan (10.0.1.0/24) to the server lan (10.0.0.0/24) via a tunnel (10.0.8.0/30) without a problem (a bit slow maybe), but not vice-versa, it just load forever.

    The weird thing is that from server lan I can ping all the devices, and I can also see the default page from an Apache server on the client side, but that's all I can do. No ssh, no dynamic pages, no samba shares. I cannot access neither the client side Pfsense gui.

    my current configuration is multi wan on the server side with the vpn

    This is the server config
    https://www.dropbox.com/s/hr9j9o7cfiy9hmr/FireShot%20Capture%201%20-%20pfsense.localdomain%20-%20OpenVPN_%20Server_%20-%20http___10.0.0.1_vpn_openvpn_server.php.png?dl=0

    This is the client config
    https://www.dropbox.com/s/l5sxgbaw1t3p60k/FireShot%20Capture%201%20-%20pfsense-manesseno.drafinsub-manesseno_%20-%20http___10.0.1.1_vpn_openvpn_client.php.png?dl=0

    On the server side the interface is configured as localhost because of the multiwan there is a port forwarding

    EOLO	UDP	*	*	EOLO address	500 (ISAKMP)	127.0.0.1	500 (ISAKMP)	Eolo VPN multiwan 	
    VODAFONE20MB	UDP	*	*	Vodafone address	500 (ISAKMP)	127.0.0.1	500 (ISAKMP)	Vodafone 20MB VPN multiwan 
    

    there are also rules about opening the port 500 on both routers (and on both multiwan connections)

    What I forgot to check?

    Thank you in advance



  • Change your subnet on both PfSense boxes for the IPv4 Tunnel network to /24

    So instead of 10.0.8.0/30 do 10.0.8.0/24

    Try that.

    Also, make sure you have an allow firewall rule for the OpenVPN interface on each PfSense.

    Lastly, why are you using DES-CBC 64bit????

    Jake



  • To be honest I don't know why is set with such an algorithm  :o . I changed it to a more standard AES. I tried to change the network mask to 24 but nothin changed.
    For the firewall rules:
    How should be set? is not enough a "allow all" rule in both the openvpn tab?

    Thank you

    Update: now works, but the connection goes down every one hour or so and hangs on ping-reconnect.
    also I found a crash report logging into the server: http://pastebin.com/dHKJ9CKz
    Any advice about what to check?

    Thank you


Log in to reply