Access device via openvpn through ipsec tunnel
-
Hi,
I am connect to FW1 using openvpn and have an ip in range 10.10.10.0/24
The LAN at FW1 is in range 10.0.1.0/24 and I can reach devices in that range.
The WAN ip is in range 192.168.0.0/24But there is an ipsec tunnel between FW1 and FW2 using the real public ip's , eg 81.84.100.102 and 81.86.145.120
FW2's local LAN is 10.0.2.0/24, the WAN ip is also in range 192.168.0.0/24
The WAN ip's are in 192.168 as these are dynamic public ip's and the modem than has a dhcp to the firewalls. These ip's rarely change, so the ipsec tunnels should work for a long time. It only changes if the modem might be offline for a long time.
So the ipsec tunnel is also working.
BUT, if I try to reach the range 10.0.2.0/24 through the openvpn, so from my laptop, it responds with: COMPUTER SAYS NO.
How can I make it possible I can reach from my laptop to a device on the second firewall?
-
@nick-loenders said in Access device via openvpn through ipsec tunnel:
FW2's local LAN is 10.0.2.0/24
You need to add this network to the "Local networks" in the OpenVPN server settings to push the route to the client.
Further in IPSec you have to add an additional phase 2 tunnel to connect the site 2 LAN with the OpenVPN tunnel network.
So on FW1 set
Local network: 10.10.10.0/24
remote network: 10.0.2.0/24
and on FW2 the other way round. -
In openpvn server, I have the settings like that.
In the ipsec, I have to have two P2's then ? 1 with local subnet LAN and one local subnet the 10.10.10 ?
-
@nick-loenders
Yes. You need the second p2 also on FW2 to establish the tunnel. -
On FW2:
And in the openvpn on FW1:
I get a request timed out when I try to ping the device on site 1, allthough the firewall says it is ok:
Also for the ping to the device on site 2 :
But I cannot ping it, or visit the webpage?? :(
Strangest thing is, before I could ping/access the device on site 1 ?
-
@nick-loenders
Why did you state 10.0.0.0/8 in your p2 for the remote site? And that on both sites.
That cannot work since the networks are overlapping.Configure the phase 2 with the correct networks.
-
What if I have 8 sites? I cannot never do 10.0.0.0/8 on site 1 ?
-
@nick-loenders said in Access device via openvpn through ipsec tunnel:
I cannot never do 10.0.0.0/8 on site 1 ?
You can, but not if it's overlapping the local networks on the other site.
10.0.1.0/24 and 10.0.2.0/24 are both parts of 10.0.0.0/8. So if you state this in the p2 pfSense cannot route.
-
First to let you know it worked, for the 2 sites.
But for more sites, I need to do this then on site1: -
@viragomann
Nevermind the previous post... this is to another public ip, so is another P1 off course -
@nick-loenders
Anyway, if you have sequenced subnets like these you can embrace them in the p2 using an appropriate mask. But with a local LAN of 10.0.1.0/24 you run into risk of overlapping.So if the LAN here is 10.0.1.0/24 you could only merge tunnel 2 and 3 by stating 10.0.2.0/23 as the remote network.
If you have control over all involved site you should consider this when designing the networks.