OVPN Client ---> PfSense ---> IPSEC ---> Server

Vfisher · Apr 10, 2022, 3:29 AM

I need to access an application on the other end of an IPSEC VPN through an OpenVPN client.

I don't have access on the other end of IPSEC, so I can't create a phase 2 to declare my OpenVPN network and I can't use VTI.

Attached is the network topology. I believe I will have to use a NAT, but I'm not getting it. Thanks to anyone who can help.

viragomann · Apr 10, 2022, 8:58 AM

@vfisher
You can add an additional BINAT / PAT phase 2 using the same local network.
How is your primary P 2 configured?

At site B there is alrealy a BINAT rule?

Vfisher · Apr 11, 2022, 3:06 AM

@viragomann Thanks for your answer!

I don't know how to create an additional BINAT/PAT, I would be grateful if you could give me an example.

Here is my phase 2 configuration screen.

Thank you!

viragomann · Apr 11, 2022, 7:58 AM

@vfisher
So you use already BINAT with quite small networks.

The options to configure an additonal BINAT depends on the phase 2 of the remote site and I suspect that you don't know it.
But since your existing P 2 translates already from a /24 to a /30 it's not an 1:1 translation anyway, but many to few.

So I think you can do the same for the VPN clients. Add an additional P 2, at Local Network state the OVPN tunnel network and do all over settings equal to the existing P 2.

Vfisher · Apr 11, 2022, 1:56 PM

You are right...I don't have access to the other end, and the IT staff told me they can't set up a second phase 2.

In the case of the OpenVPN that I use to connect to the office network is a Client to Site, I tried to include a route in the client, but it didn't work either.

viragomann · Apr 11, 2022, 2:31 PM

@vfisher
You need also to push the route to the remote IP to the OpenVPN clients, of course.
So you have to add "172.31.17.150/32" to the "IPv4 Local Networks" in the server settings. Have you done this already?

Also ensure that firewall rules on the VPN interface allow access.