When pinging from a LAN device on Side A (Windoze Surface using cmd, 192.168.2.184) behind the gateway 192.168.2.10 (which can ping both the remote devices tested below) are the results.





Device 192.168.1.3 on the remote side (side B) is their ClearOS machine hosting the configuration that connects to side A. 192.168.1.181 is a tablet device behind side B's ClearOS router (192.168.1.3)

The above ping results are the same from a LAN device on Side B's network pinging 192.168.2.10 (Side A's gateway/OpenVPN server) and 192.168.2.184 (Windoze Surface with firewall set to respond to pings from outside its own LAN subnet).

That is the guide that I've followed and derived the config files below from. I've since edited the config files again to match the sections of "Create the Headquarters Configuration" & "Create the Remote Office Configuration"

The ClearOS 7 router for side A (192.168.2.10) can ping across the tunnel to side B, anything and everything on side B can be reached by the router at side A (192.168.2.10). The same goes for side B's router, it can ping across the tunnel and reach all network devices on Side A.

I'm reading further into that guide and am not sure it talks about what I'm looking to do. The next thing I'm looking for is a device on side A (i.e. laptop, surface, desktop) to be able to ping and reach shares on side B on a server past the router on side B. (192.168.2.184 should be able to access shares from 192.168.1.120). I'm not sure the "Appendix: Alternate implicit site to site" configs are what I'm looking for, for that configuration I described above.

Hopefully that all makes sense. Thanks!

Hi Nick,

I've never been asked (outside of you) to use code tags before. Had no idea they existed and even how to use them. So hopefully as I use them now it will display correctly for you. I apologize if it doesn't.

Side A config file


Side A routing table


Side A iptables -nvL


Side B config file


Side B routing table


Side B iptables -nvL


As I said, I hope all of this turns out properly, if not I apologize this is my first time trying to use code tags as you described. I did not see your latest update in my IPSec post until you said something in your last post. Basically if either IPSEC or OpenVPN work I am just looking for one or another solution it doesn't matter which.

Thank you for your help Nick.

Still no luck on getting Side A & B to completely ping each other. Played around with routes but still am only able to ping the other network from my router. Can ping other devices from my router but not able to ping a server at side B with my surface. The lans do not overlap Side A - 192.168.2.x Side B - 192.168.1.x

Output of the command route below, the only thing I can think of is that routes are wrong somehow even though it allows me to connect across the tunnel.

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default c-73-35-184-1.h 0.0.0.0 UG 0 0 0 eno50336512
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun2
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun2
10.8.10.0 10.8.10.2 255.255.255.0 UG 0 0 0 tun1
10.8.10.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
10.8.222.41 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
wan.ip.address 0.0.0.0 255.255.252.0 U 0 0 0 eno50336512
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eno33557248

OpenVPN Site to Site network access

Hi all,

I recently set up an openvpn site to site configuration between two COS 7.2 machines. The connections is up, both 7.2 machines can ping each other via local LAN ip addresses and now that the routes are correct both OpenVPN machine can ping other network devices such as side B can ping the printer at side A. However the ultimate goal is for everything on Side A & B to be able to ping each other. That seems to be the one part of this that I can't quite get figured out just yet.

I'm not sure if this something obvious and really no information about my set up is necessary or if a lot of information about my set up is necessary to be able to provide a solution. Nevertheless please let me know your thoughts and what needs to be done, I feel like it's something simple but I haven't been able to figure that out just yet.

Thank you!

Hi Nick,

Thank you for your assistance. I'm still not sure what you meant by between the code tags. There are no code tags when opening the file. I'm sorry it's been awhile since I've last updated. I'm not sure if it's something to do with using the free version or not as to why it's not connecting, but I've switched to using openvpn as a site to site vpn which is working out so far better than this set up.

I'm sorry that my responses were somewhat slow and I wasn't sure exactly what you meant. Tim I saw your name on the app so I know you've a part if not all to do with it, thank you for the app. I'm sure it's something I was doing incorrectly but OpenVPN has really been working out better for me at this point.

Thanks guys! I know you do a lot for the community and I'm sure this isn't the last time we'll speak.

Sorry about that Nick, it was formatted properly when I was writing this but I was on a mobile device. Below hopefully it's formatted properly this time.

Left Side
conn davlijah
type=tunnel
authby=secret
auto=start
left=my.wan.ip
leftsubnet=192.168.2.0/24
right=remote.wan.ip
rightsubnet=192.168.1.0/24
leftnexthop=73.35.184.1
leftsourceip=192.168.2.10
rightnexthop=71.227.132.1
rightsourceip=192.168.1.3

Right Side
conn davlijah
type=tunnel
authby=secret
auto=start
left=my.wan.ip
leftsubnet=192.168.2.0/24
right=remote.wan.ip
rightsubnet=192.168.1.0/24
leftnexthop=71.227.132.1
leftsourceip=192.168.2.10
rightnexthop=73.35.184.1
rightsourceip=192.168.1.3

Where can I find the connection logs located? I don't want to get you the wrong information. Thanks!

Thanks for the updates Nick. I appreciate the help. I'm sure it's something small I'm over looking. My conf file is below.

GNU nano 2.3.1 File: .../ipsec.d/ipsec.unmanaged.davlijah.conf conn davlijah type=tunnel authby=secret auto=start left=my.wan.ip.address leftsubnet=192.168.2.0/24 right=remote.wan.ip.address
rightsubnet=192.168.1.0/24

The IPsec service has been opened on both firewalls rather than just opening up UPD port 500.

Hi Nick,

Thank you for your assistance with this. I've looked over everything you said and it all seems to make sense. I've not implemented anything yet because side B (right side if I understand ClearOS lingo enough) actually made a change and is now running ClearOS 7.2 as their gateway so now both left and right sides have IPSEC on the gateway. My follow up question because it doesn't seem things are working still is, is your post still relevant and I should still follow it or is there another configuration I should follow?

Thanks! Sorry to switch things up.

Basic IPSec Setup between two ClearOS 7.2 machines

I briefly skimmed to see if anything else had been posted about this and I don't see anything in particular so I thought I'd ask my specific question. I have two sites, both connected via high speed internet and both running ClearOS 7.2 as the VPN servers. Site A has ClearOS 7.2 as the default gateway running the IPSec service. Site B has the IPSec service running on a ClearOS 7.2 machine behind their default gateway, so I've port forwarded 500 to it's specific IP address. At this point I've filled in (on both sides) The connection name, connection mode (automatic), local WAN IP from the drop down, Local Lan Subnet (side A 192.168.2.0/24 & side B 192.168.1.0/24), the optional settings (Local Gateway IP & Local LAN IP) on both sides have been left blank for now. The Remote WAN IP has been filled in with the WAN IP of the respective sides. The Remote LAN Subnet is set up as well for the remote sides local subnet and again the optional options have been left blank. Both sides have the same pre-shared key.

The output from /var/log/ipsec is
Sep 22 16:22:25 router pluto[2977]: forgetting secrets
Sep 22 16:22:25 router pluto[2977]: loading secrets from "/etc/ipsec.secrets"
Sep 22 16:22:25 router pluto[2977]: loading secrets from "/etc/ipsec.d/ipsec.un$
Sep 22 16:22:27 router pluto[2977]: "davlijah": deleting connection
Sep 22 16:22:27 router pluto[2977]: | certificate not loaded for this end
Sep 22 16:22:28 router pluto[2977]: | certificate not loaded for this end
Sep 22 16:22:28 router pluto[2977]: added connection description "davlijah"

That repeats over and over

The output from /var/log/ipsec-20160921 is
Sep 20 13:19:32 router pluto[2977]: packet from SiteB.wanip:500: initial Main Mode message received on SiteA.wanip:500 but no connection has been authorized with policy IKEV1_ALLOW

I have a connection over both setups so if something is necessary from SiteA or B please let me know and I can supply it. I've never set up an IPSec VPN before, this is the first time I've ever tried. So go easy on me if something is blatantly obvious. Thanks guys!