Site to Site Routing Issue

curto21 · #1 (**permalink**) 03-16-2010, 02:41 PM

I've been stuck for two days trying to get a Site to Site IPsec VPN between two locations. The VPN connection appears to be working (see screenshot), however, it seems I'm having trouble routing through it. Here are the details:

Astaro Security Gateway (7.504) NETWORK A
Interfaces:
--------------------------
eth0 : (internal) 192.168.0.1 255.255.255.0
eth1 : (external) ***.***.***.***

VPN Connection settings:
Auto Packet filter is ON
Strict routing is OFF
Local Network: 192.168.0.0/24

VPN Remote Gateway Settings:
Gateway type:Initiate Connection (both sides are static)
Authentication type: PSK
Remote networks: 172.16.0.0/19

pfSense Firewall NETWORK B
--------------------------
eth0 : (internal) 172.16.0.1 - 255.255.224.0
eth1 : (external) ***.***.***.***

I have a mail server on network A that I need to access from network B. It is located at 192.168.0.75

I have a user pc on network B that needs access to resources on network A. It is located at 172.16.0.19

Here are the tests:

If I run a ping test from 172.16.0.19 --> 192.168.0.1, all pings return just fine. This leads me to believe that traffic is getting through the VPN.

If I run a ping test from 172.16.0.19 --> 192.168.0.75, all pings do NOT return.

If I run a traceroute from 172.16.0.19 --> 192.168.0.75, the first hop shows the astaro's local ip of 192.168.0.1. All hops after that timeout.

If I run a ping from the astaro (webmin>support>tools>ping check) 192.168.0.1 --> 192.168.0.75, all pings return just fine.

If I run a ping from the astaro, 192.168.0.1 --> 172.16.0.1, I get the following error (see screenshot):

Ping check did not deliver a result, because of a probably non-existing ip address / hostname

If I run a traceroute from 192.168.0.75 --> 172.16.0.1, the first hop shows the astaro's local ip of 192.168.0.1. All hops after that timeout.

Thinking it might be issues with ICMP packets (though global ICMP settings on astaro are enabled), I also tried TELNETTing from 172.16.0.19 --> 192.168.0.75 port 25 with no response.

There may be more than one issue here as pings from network B can get to at least the astaro on network A while it seems pings from network A can't get to network B at all. What am I missing? Any help would be greatly appreciated. Thanks!

BAlfson · #2 (**permalink**) 03-16-2010, 06:48 PM

Quote:

If I run a traceroute from 192.168.0.75 --> 172.16.0.1, the first hop shows the astaro's local ip of 192.168.0.1. All hops after that timeout.

OK, that confirms that 192.168.0.1 is the default gateway for 192.168.0.75.

Try checking the box for 'Strict routing'.

Cheers - Bob
PS I'll delete the other thread for you.

curto21 · #3 (**permalink**) 03-16-2010, 07:11 PM

Thanks for the reply. I had already tried it with strict routing turned on just for the heck of it, and I tried it again based on your recommendation. There were no changes in the above tests. Also, I tried setting up a DNAT rule for ping and suddenly I can ping from 172.16.0.19 --> 192.168.0.75. I then removed the the DNAT rule I just created, and I can still ping from network B to network A. Nothing else changed. However, network A to network B is still not working, nor can I ping from the ping tool on the astaro to network B. I'm still getting the following error:

Ping check did not deliver a result, because of a probably non-existing ip address / hostname

It's like it doesn't know what to do with it.

BAlfson · #4 (**permalink**) 03-16-2010, 09:34 PM

Quote:

If I run a traceroute from 172.16.0.19 --> 192.168.0.75, the first hop shows the astaro's local ip of 192.168.0.1. All hops after that timeout.

You meant the first hop was 172.16.0.1, right?

Quote:

Thanks for the reply. I had already tried it with strict routing turned on just for the heck of it, and I tried it again based on your recommendation. There were no changes in the above tests.

Did you give it a minute or two to digest the changes before you tested?

Quote:

Also, I tried setting up a DNAT rule for ping and suddenly I can ping from 172.16.0.19 --> 192.168.0.75. I then removed the the DNAT rule I just created, and I can still ping from network B to network A.

I can't imagine that creating then deleting a DNAT would fix this in one direction, but seeeing the DNAT might be a clue...

Cheers - Bob

curto21 · #5 (**permalink**) 03-17-2010, 11:51 AM

Sorry, yes you are right, the first hop from network B is 172.16.0.1 followed by 192.168.0.1 and then it stopped. However, that is old news. Here is an update: (I honestly don't know what changed. Perhaps, it was the strict routing, and I didn't give it enough time to "digest" the change when testing.)

I now can access services on network A from network B with no problems. This includes web, telnet, and file sharing. For example, 172.16.0.19 is a windows machine on network B. 192.168.0.75 is a windows server on network A. In the address bar on 172.16.0.19 I can type "\\192.168.0.75" and all shares appear. However if I reverse that, (typing "\\172.16.0.19" in the address bar on 192.168.0.75) I get "Windows cannot access... there may be a problem with your network".

Traceroutes to network B from network A still stop at 192.168.0.1 and I still can't ping anything on network B directly from the Astaro itself. I'm at a loss.

There are no NAT rules in place. And strict routing is now turned on.

BAlfson · #6 (**permalink**) 03-17-2010, 01:53 PM

Do you see anything in the packet filter log or the Intrusions Prevention log that might give us a hint? Can you ping 172.16.0.19 from the Astaro? It just feels to me that the problem is in the pfSense.

curto21 · #7 (**permalink**) 03-17-2010, 02:26 PM

You were right once again. I double checked the rules on the pfSense box. Apparently, the pfSense firewall does not allow incoming traffic over the IPSEC VPN by default. I created a new rule and, go figure, traceroutes and pings are getting through. It's still not allowing all traffic at this point, but I think I just need to tweak the firewall rules a bit. Thanks so much for your help.