Muliple VPN configuration help
-
Hi all-
Not a network novice but not expert either! I have created this network and am in a little over my head.
All of the VPNs are working and both PCs can acess all resources or both networks via IPsec VPN. Both laptops can access resources from their respective networks but not each others. I dont need both of the "Road Warrior" VPNs. Ideally I would just like to use the Wireguard VPN once I figure out how to access resources on the Ubiquiti side. I used Christian's excellent tutorial to setup the Wireguard but thats as far as my knowledge goes. I could really use some advice here :)Thanks,
James -
@jnewman33 I gave up trying to get IPsec working with USG3. The tunnel came up but would not route properly. I tried static routes and lots of other work arounds without success. I ended up replacing the USG3 with a Netgate 1100.
-
@jake Thanks for the reply. I had assumed that since the PCs were seeing both networks that the IPsec was working properly. Are you saying that minus the USG weirdness my laptops should be able to access all resources already given this configuration?
-
@jnewman33 Just so I understand. If a "road warrior" connects to the USG firewall they cannot access the pfSense network?
-
@jake That is correct. Also have the problem the other way around as well. I would be happy if I could just get the "road warrior" wireguard VPN to see the Ubiquiti side.
-
@jnewman33 I'm more familiar with OpenVPN but I'd assume you'd need to push the routes for the remote network to the wireguard client or if it's routed then setup the routes to be accessible to wireguard.
-
@jake Thanks for your continued help here. I may abandon the wireguard for now and switch to OpenVPN into pfsense for now. I was excited to the get the wireguard working but its unique interface is beyond what I can manage without someone like Christian's help.
-
@jake I have now created an OpenVPN connection for remote access to pfsense. I believe that now I need to push routes and maybe create rules in order to see the other side of my IPsec tunnel? Would you have any guidence here ?
-
I assume you are using policy based IPSec between the two sites?
If so you need to have policies in place to cover the traffic from the road warrior tunnel subnets in addition to the two local LANs.
Steve
-
Thanks for replying. I have simplified my diagram a bit:
To simplify matters I am no just using OpenVPN into pfsense. That VPN works and is providing access to pfsense resources as expected.
I am assuming the site-to-site is policy based but I am confused as how to configure the addition of the OpenVPN subnet (10.10.50.0/24).
Appreciate any help you can provide.
-
OK so in order for OpenVPN users to access resources in the 10.10.33.0/24 subnet the IPSec tunnel needs to have a Phase2 policy configured for 10.10.20.0/24 to 10.10.33.0/24.
You probably only have one P2 policy defined and it will be for 10.10.34.0/24 to 10.10.33.0/24 so traffic from the OpenVPN is not carried.
What is you current IPSec config?
Steve
-
Thanks for your help here. I actually had created a second P2 but had created it backwards. Fixed that up and now all works.
Thanks again,
James
