OpenVPN client talking to IPSec tunnels?
-
I have a pfsense box that has 10 IPsec tunnels to other networks. From the local LAN segment, I can access any machine on any of those 10 IPsec tunnels.
There is also an OpenVPN server configured on that pfsense box that I use to connect when I'm traveling. It works perfectly for talking to any machine on the LAN. However, I need to also access the machines on the IPsec tunnels from the OpenVPN connection.
What's the trick to making that work?
-
Add the remote IPsec networks to Local networks in the OpenVPN server so the client knows to route them over OpenVPN. This is unnecessary if you are pushing a default gateway (Redirect gateway checked).
Create IPsec Phase 2 entries between the IPsec networks and the OpenVPN tunnel network.
As always, make sure firewall rules pass the traffic.
-
I was scratching my head little over adding the remote IPsec networks to local networks in OpenVPN. Apparently when you try to edit an existing OpenVPN network through the UI, the Local Network fields are not presented…
???
I'll just build a new one for testing...
-
I decided not to worry about the OPVN config for now, since I push a default gateway. Connected OPVN clients happily try to connect to IP addresses on the remotely connected IPsec network. According to the firewall logs, the traffic is being passed out to the IPsec net.
Strictly for testing purposes, I added a rule to the firewall on the IPSec tab that allows any to any.
I'm unable to get anything back; not even an indication that the firewall is denying the traffic. I messed about with adding a P2 entry for the /24 used by the OPVN network, but no joy. Since I have no idea what to use for the Phase 2 key exchange, I duplicated one of the existing P2 entries, and modified the local network to point to the /24 used by OPVN.
I talked to our cisco guy, he doubted it would work. Some kind of trickery required or some such.
Currently I don't have access to any device on the remote network that I can use to do any testing from that side. Oh well… Will have to pick this up later I guess.
-
hi everybody
is there anyone could send config screen photos please
i am trying to do as same as that
i have ipsec tunnel from 192.168.30.0/24(pfsense) to 192.168.10.0/24 (tplink)
i have openvpn tunnel 192.168.14.0/28 on the side of 192.168.30.0/24 (here i have pfsense)
so i when i connect with openvpn i can comunicate all of the network of 192.168.30.0/24 but i want to comunicate also with remote network of ipsec is is posible ?
many thanks for everybody to helping me to solve this -
You need to add a phase two on your IPsec that passes traffic between 192.168.14.0/24 on the pfSense side and 192.168.10.0/24 on the TPLink side. This will need to be done on both sides just like between 192.168.30.0/24 and 192.168.10.0/24.
You need to add 192.168.10.0/24 as a local network on the OpenVPN server so it is pushed to the clients and they know to send traffic for that network over OpenVPN.
Then make sure all the firewall rules pass the necessary traffic.
-
thanks for reply and sorry for my poor english
can you see my attachment photoS
like this
 -
after the passing all screen capture
i restart both side and it is working
please i wuold like that administrator of this forum lock this part who need help same subject in the future
thanks derelict.
