Thursday, March 5, 2020

Site-to-Site VPN working in one direction only. How do I debug?

The Disclaimer:

I'm not a networking professional, I'm doing networking at my company on the side because I'm the only one with an it background (level of expertise: "knowing enough to be dangerous").

I'd really appriciate any help narrowing down the following problem so I can maybe ask more specific questions in a related vendor/community subreddit like /r/openwrt/, /r/OpenVPN/ or /r/PFSENSE/.

The requirement:

  • My company wants to connect some IP Cameras in our warehouse (lager) to the dvr in the main office.
  • Here is a network diagram: http://stable.ascii-flow.appspot.com/#Draw7758801818203273020
  • The way the dvr works requires it to connect from site 1 (static ip) to lte-router(dyn. ip) (or more specifically the connected cameras) at site 2.

The problem:

  • The connection only works from site 2 to site 1 and not the other way around
  • Pinging from the lte-router to the dvr (10.0.1.10) works perfectly fine.
  • Pinging from the dvr to the lte-router openvpn ip (10.0.253.2) works.
  • Pinging from the dvr to the lte-routers lan ip (10.22.1.1) doesn't work.. Sadly that't what I need.

What I checked:

  1. OpenVPN config on lte-router: https://pastebin.com/HwEfVGQK
  2. OpenVPN config on server: https://imgur.com/5rQzZvE
  3. OpenVPN on pfSense recognizes the connection as (server-client) but it is configured as peer-to-peer. Compare this https://imgur.com/a/wFicW6V with [2].
  4. Routes: https://pastebin.com/raw/T6fMB080
  5. package capture of the ping from the dvr on the vpn interfece of the pfsense shows:
    1. IP 10.0.1.10 > 10.22.1.1: ICMP echo requests;
    2. no responses
  6. capturing the ping from the lte-router on the vpn interfece of the pfsense shows:
    1. IP 10.0.253.2 > 10.0.1.10: ICMP echo request
    2. IP 10.0.1.10 > 10.0.253.2: ICMP echo reply

I already wasted two days on this and I'm all out of ideas. Is there something obvious I'm missing?
Any help would be greatly appreciated!



No comments:

Post a Comment