Agreed, thats the only way you could do that.

You have both local networks listed in the OpenVPN Server instance?

This is how I do it:

https://forum.pfsense.org/index.php?topic=84463.msg463226#msg463226

When I behind the first Pfsense with my mobile phone (connected with WIFI), connected with OpenVPN I have same issues. Then when I switch off the wifi and try the same over the mobile data connection, it works fine. So this suggest nothing to do with client…

Works like a charm! Thank you very much :D

Dude WTF does public vs private or domain have to do with it??  That is just setting your firewall rules that would be inbound rules to that box, not outbound.

I am on 2.2.3 and it works perfectly as well - a vpn interface does NOT get a GATEWAY!!!  its a TUNNEL!!!

Connect to your vpn, post up your route print output and your ipconfig /all output  and what IP you trying to get too?

OK, so we've finally came to a conclusion: I missed the "peer to peer" vs "remote access" configuration, but now that you guys mentioned it makes perfect sense. I'll try to see what I can do and post my findings here, should anyone be interested.

On a more general topic, @doktornotor, I really appreciate your suggestions and technical feedback (although I don't agree with some of them you have a fair technical point / concern). What I didn't appreciate that much was the tone and little sarcasm which I think could have been avoided.

Thanks

what are these virtual ip's you are talking about?

could it be a nat issue? one side of the site-2-site thats natting towards the other end ?

Yup - it's enabled on both ends and the proper key is used on both ends.

Hi, Thanks for the reply.

After a bit of a voyage of discovery I was able to ping only those clients using the new gateway device (the clone) so you are indeed correct, they are on the same subnet but different IP's for the gateway.

Guess the only way to fully test this is to clone the live system and then bring it up using the same gateway IP address as the live (after taking the live offline)
Drac

When you make the connection it will add routes..

You can bump up the logging verbosity to view them being added..

example, here is my currently connecting to my pfsense openvpn setup at home..  See the routes get added

Mon Jul 13 16:38:31 2015 Successful ARP Flush on interface [22] {5A2F7EEA-6ED4-4F64-84E8-6A9A17179285}
Mon Jul 13 16:38:36 2015 TEST ROUTES: 4/4 succeeded len=4 ret=1 a=0 u/d=up
Mon Jul 13 16:38:36 2015 MANAGEMENT: >STATE:1436823516,ADD_ROUTES,,,
Mon Jul 13 16:38:36 2015 C:\Windows\system32\route.exe ADD 192.168.9.0 MASK 255.255.255.0 10.0.8.5
Mon Jul 13 16:38:36 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Mon Jul 13 16:38:36 2015 Route addition via IPAPI succeeded [adaptive]
Mon Jul 13 16:38:36 2015 C:\Windows\system32\route.exe ADD 192.168.2.0 MASK 255.255.255.0 10.0.8.5
Mon Jul 13 16:38:36 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Mon Jul 13 16:38:36 2015 Route addition via IPAPI succeeded [adaptive]
Mon Jul 13 16:38:36 2015 C:\Windows\system32\route.exe ADD 192.168.3.0 MASK 255.255.255.0 10.0.8.5
Mon Jul 13 16:38:36 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Mon Jul 13 16:38:36 2015 Route addition via IPAPI succeeded [adaptive]
Mon Jul 13 16:38:36 2015 C:\Windows\system32\route.exe ADD 10.0.8.1 MASK 255.255.255.255 10.0.8.5
Mon Jul 13 16:38:36 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Mon Jul 13 16:38:36 2015 Route addition via IPAPI succeeded [adaptive]

if you add

verb 4

to your config you should get more details..

routesopenvpn.png
routesopenvpn.png_thumb

what are you rules in your openvpn tab?

What do you want to do?  Do you want to route all traffic through your vpn, or only use the vpn to access the networks behind the vpn?

Do a route print from your client to see your routes

If the goal is to get VPN going between the ASA and pfsense, the most straightforward approach is to use ipsec vpn on both.

The ASA doesn't support OpenVPN.

the ASA does support ipsec vpn client connections and I just saw a package for Synology NAS units that apparently lets you connect to a Cisco concentrator.  I haven't looked at it much yet but it might be possible to get raccoon running on the pfsense box.  There's a discussion of raccoon on BSD here:

https://matt.bionicmessage.net/blog/2011/06/18/Configuring%20Racoon%20on%20FreeBSD%20to%20connect%20to%20a%20Cisco%20IPSec%20VPN

I don't know how much good that will do you - I don't know if you can use clients behind the system to connect to the far side once you've got pfsense connected to the ASA.

Thanks!

@Supermule:

The good thing is that the way OpnSense is built its updates are quite frequent

https://forum.opnsense.org/index.php?topic=944.0

Allready getting patches later today.

Those "quite frequent" updates are easy when you don't do any testing. If it had applied, those who wanted a fix would have had one within an hour via 2.2.4 snapshots, with release soon to follow (still is coming soon, just not because of this) after it's been tested. But better off if you don't need patches at all because you aren't running two diff copies of OpenSSL unnecessarily.