Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Traffic to IPsec sites

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 2 Posters 863 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      tohil
      last edited by

      hi

      I have some IPsec site-to-site vpn tunnels and using OpenVPN for remote access.
      OpenVPN should enable Users to access destinations behind IPsec tunnels.

      I have configured additional ipsec phase2 with the openvpn pool ip as local sourcen and binat to a virtual adress.

      it seems that since upgrade to 2.5.x this is not working anymore... at the moment I can not ping a destination over the tunnels. OpenVPNClient (Route all traffic to Tunnel) -> PFsense OpenVPN Server -> IPSEC -> Remote Site IPsec gateway -> target Subnet

      anyone else with this issue?

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        What did you upgrade from?

        That should work in 2.5.2 though. Do you see the additional P2s established?

        Do you see the traffic counters increasing when you try to send traffic across them?

        Steve

        T 1 Reply Last reply Reply Quote 0
        • T Offline
          tohil @stephenw10
          last edited by

          @stephenw10 I used 2.4.5 before.

          the additional P2 are not coming up, but there are no erros or such stuff in the ipsec log.

          i have hits on the firewall rule.... it seems the traffic is not routet from openvpn in to the ipsec tunnel or in its direction to establish it

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            You see traffic blocked in the firewall log? What is blocked and where?

            If the P2 isn't eve trying to come up then the IPSec daemon isn't seeing the interesting traffic.

            Steve

            T 1 Reply Last reply Reply Quote 0
            • T Offline
              tohil @stephenw10
              last edited by

              @stephenw10
              Hi Stephen,

              sorry for the delay in my answer. I was not able to perform some further tests until now.

              here some details about my setup:

              Internal Network: 192.168.5.0/24
              OpenVPN Client Pool: 192.168.250.0/24

              Remote IPsec Subnet: 172.22.65.0/24

              I have two VPN Phase 2 on the pfsense

              one for local network 192.168.5.0/24 and an other for local network 192.168.250.0/24
              both using the same BINAT source address 10.66.66.66

              on the remote site I use the BINAT as remote network.

              I have around 26 of these phase 2 connections. at the moment it seems that just one of them is "accepting" traffic from openvpn clients.

              T 1 Reply Last reply Reply Quote 0
              • T Offline
                tohil @tohil
                last edited by

                I've rebooted the pfsense box on my side and now it works.... thats realy not what I've expected :-)

                1 Reply Last reply Reply Quote 0
                • stephenw10S Offline
                  stephenw10 Netgate Administrator
                  last edited by

                  Hmm, no not what I would expect either. You might have a tunnel that can only establish from one direction maybe. Or perhaps an incorrect state still open.

                  Steve

                  T 1 Reply Last reply Reply Quote 0
                  • T Offline
                    tohil @stephenw10
                    last edited by

                    @stephenw10 said in OpenVPN Traffic to IPsec sites:

                    Hmm, no not what I would expect either. You might have a tunnel that can only establish from one direction maybe. Or perhaps an incorrect state still open.

                    Steve

                    Maybe... I will observe this the next days.

                    regards

                    1 Reply Last reply Reply Quote 0
                    • T Offline
                      tohil
                      last edited by

                      I had the "firewall optimization options" set to "conservative" and changed this now back to "normal".

                      maybe......

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.