OpenVPN Traffic to IPsec sites

tohil

hi

I have some IPsec site-to-site vpn tunnels and using OpenVPN for remote access.
OpenVPN should enable Users to access destinations behind IPsec tunnels.

I have configured additional ipsec phase2 with the openvpn pool ip as local sourcen and binat to a virtual adress.

it seems that since upgrade to 2.5.x this is not working anymore... at the moment I can not ping a destination over the tunnels. OpenVPNClient (Route all traffic to Tunnel) -> PFsense OpenVPN Server -> IPSEC -> Remote Site IPsec gateway -> target Subnet

anyone else with this issue?

stephenw10

What did you upgrade from?

That should work in 2.5.2 though. Do you see the additional P2s established?

Do you see the traffic counters increasing when you try to send traffic across them?

Steve

tohil

@stephenw10 I used 2.4.5 before.

the additional P2 are not coming up, but there are no erros or such stuff in the ipsec log.

i have hits on the firewall rule.... it seems the traffic is not routet from openvpn in to the ipsec tunnel or in its direction to establish it

stephenw10

You see traffic blocked in the firewall log? What is blocked and where?

If the P2 isn't eve trying to come up then the IPSec daemon isn't seeing the interesting traffic.

Steve

tohil

@stephenw10
Hi Stephen,

sorry for the delay in my answer. I was not able to perform some further tests until now.

here some details about my setup:

Internal Network: 192.168.5.0/24
OpenVPN Client Pool: 192.168.250.0/24

Remote IPsec Subnet: 172.22.65.0/24

I have two VPN Phase 2 on the pfsense

one for local network 192.168.5.0/24 and an other for local network 192.168.250.0/24
both using the same BINAT source address 10.66.66.66

on the remote site I use the BINAT as remote network.

I have around 26 of these phase 2 connections. at the moment it seems that just one of them is "accepting" traffic from openvpn clients.

tohil

I've rebooted the pfsense box on my side and now it works.... thats realy not what I've expected :-)

stephenw10

Hmm, no not what I would expect either. You might have a tunnel that can only establish from one direction maybe. Or perhaps an incorrect state still open.

Steve

tohil

@stephenw10 said in OpenVPN Traffic to IPsec sites:

Hmm, no not what I would expect either. You might have a tunnel that can only establish from one direction maybe. Or perhaps an incorrect state still open.

Steve

Maybe... I will observe this the next days.

regards

tohil

I had the "firewall optimization options" set to "conservative" and changed this now back to "normal".

maybe......