no route to host/IPsec IP on opnsense

Started by that1guy, July 21, 2022, 02:41:57 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 21, 2022, 02:41:57 PM
Hi guys,

I have a cardreader (Ingenico/Orga 6141, behind a FritzBox, IP 192.168.146.3) connected to an opnsense with IPsec - the cardreader got the IP 172.20.1.1 on the opnsense from  Virtual IPv4 Address Pool 172.20.1.0/30. VPN log looks good, the cardreader says "connected".

I can't ping the 172.20.1.1 from opnsense (192.168.139.51):

(default gateway is an FritzBox with IP 192.168.139.254; I added a static route there for 172.20.1.0/255.255.255.252 to 192.168.139.51)

Code Select

Enter a host name or IP address: 172.20.1.1

PING 172.20.1.1 (172.20.1.1): 56 data bytes
92 bytes from 192.168.139.254: Redirect Host(New addr: 192.168.139.51)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 138b   0 0000  3f  01 6f2d 192.168.139.51  172.20.1.1

92 bytes from 192.168.139.254: Redirect Host(New addr: 192.168.139.51)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 138b   0 0000  3d  01 712d 192.168.139.51  172.20.1.1

92 bytes from 192.168.139.254: Redirect Host(New addr: 192.168.139.51)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 138b   0 0000  3b  01 732d 192.168.139.51  172.20.1.1

92 bytes from 192.168.139.254: Redirect Host(New addr: 192.168.139.51)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 138b   0 0000  39  01 752d 192.168.139.51  172.20.1.1

92 bytes from 192.168.139.254: Redirect Host(New addr: 192.168.139.51)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 138b   0 0000  37  01 772d 192.168.139.51  172.20.1.1

92 bytes from 192.168.139.254: Redirect Host(New addr: 192.168.139.51)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 138b   0 0000  35  01 792d 192.168.139.51  172.20.1.1

92 bytes from 192.168.139.254: Redirect Host(New addr: 192.168.139.51)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 138b   0 0000  33  01 7b2d 192.168.139.51  172.20.1.1

92 bytes from 192.168.139.254: Redirect Host(New addr: 192.168.139.51)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 138b   0 0000  31  01 7d2d 192.168.139.51  172.20.1.1

92 bytes from 192.168.139.254: Redirect Host(New addr: 192.168.139.51)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 138b   0 0000  2f  01 7f2d 192.168.139.51  172.20.1.1

92 bytes from 192.168.139.51: Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 138b   0 0000  01  01 ad2d 192.168.139.51  172.20.1.1

92 bytes from 192.168.139.51: Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 ec09   0 0000  01  01 d4ae 192.168.139.51  172.20.1.1


It looks like there's no route to 172.20.1.0/30:
Code Select

# /usr/bin/nc -v -w 10 -4 '172.20.1.1' '4742'
nc: connect to 172.20.1.1 port 4742 (tcp) failed: No route to host


That's what I can confirm from System: Routes: Status.

Can somebody please give me a hint? I already had a working configuration in the PoC opnsense and I'm now in the preparing of the prod-opnsense but can't see the missing thing by comparing both (very similar) configurations. Is there any problem with 172.20.1.0/30 as private net? (I only have one (1) VPN-client for each opnsense)

Best regards, Paul
Print
Go Up Pages1
User actions