Access device via openvpn through ipsec tunnel

nick.loenders · Nov 22, 2022, 9:17 AM

Hi,

I am connect to FW1 using openvpn and have an ip in range 10.10.10.0/24

The LAN at FW1 is in range 10.0.1.0/24 and I can reach devices in that range.
The WAN ip is in range 192.168.0.0/24

But there is an ipsec tunnel between FW1 and FW2 using the real public ip's , eg 81.84.100.102 and 81.86.145.120

FW2's local LAN is 10.0.2.0/24, the WAN ip is also in range 192.168.0.0/24

The WAN ip's are in 192.168 as these are dynamic public ip's and the modem than has a dhcp to the firewalls. These ip's rarely change, so the ipsec tunnels should work for a long time. It only changes if the modem might be offline for a long time.

So the ipsec tunnel is also working.

BUT, if I try to reach the range 10.0.2.0/24 through the openvpn, so from my laptop, it responds with: COMPUTER SAYS NO.

How can I make it possible I can reach from my laptop to a device on the second firewall?

viragomann · Nov 22, 2022, 1:38 PM

@nick-loenders said in Access device via openvpn through ipsec tunnel:

FW2's local LAN is 10.0.2.0/24

You need to add this network to the "Local networks" in the OpenVPN server settings to push the route to the client.

Further in IPSec you have to add an additional phase 2 tunnel to connect the site 2 LAN with the OpenVPN tunnel network.

So on FW1 set
Local network: 10.10.10.0/24
remote network: 10.0.2.0/24
and on FW2 the other way round.

nick.loenders · Nov 22, 2022, 1:41 PM

@viragomann

In openpvn server, I have the settings like that.

In the ipsec, I have to have two P2's then ? 1 with local subnet LAN and one local subnet the 10.10.10 ?

viragomann · Nov 22, 2022, 1:43 PM

@nick-loenders
Yes. You need the second p2 also on FW2 to establish the tunnel.

nick.loenders · Nov 22, 2022, 2:20 PM

@viragomann

So on FW1:

On FW2:

And in the openvpn on FW1:

I get a request timed out when I try to ping the device on site 1, allthough the firewall says it is ok:

Also for the ping to the device on site 2 :

But I cannot ping it, or visit the webpage?? :(

Strangest thing is, before I could ping/access the device on site 1 ?

viragomann · Nov 22, 2022, 2:29 PM

@nick-loenders
Why did you state 10.0.0.0/8 in your p2 for the remote site? And that on both sites.
That cannot work since the networks are overlapping.

Configure the phase 2 with the correct networks.

nick.loenders · Nov 22, 2022, 2:36 PM

@viragomann

So, on site 1:

On site 2:

What if I have 8 sites? I cannot never do 10.0.0.0/8 on site 1 ?

viragomann · Nov 22, 2022, 2:56 PM

@nick-loenders said in Access device via openvpn through ipsec tunnel:

I cannot never do 10.0.0.0/8 on site 1 ?

You can, but not if it's overlapping the local networks on the other site.

10.0.1.0/24 and 10.0.2.0/24 are both parts of 10.0.0.0/8. So if you state this in the p2 pfSense cannot route.

nick.loenders · Nov 22, 2022, 3:08 PM

@viragomann

First to let you know it worked, for the 2 sites.
But for more sites, I need to do this then on site1:

nick.loenders · Nov 22, 2022, 3:27 PM

@viragomann
Nevermind the previous post... this is to another public ip, so is another P1 off course

viragomann · Nov 22, 2022, 3:41 PM

@nick-loenders
Anyway, if you have sequenced subnets like these you can embrace them in the p2 using an appropriate mask. But with a local LAN of 10.0.1.0/24 you run into risk of overlapping.

So if the LAN here is 10.0.1.0/24 you could only merge tunnel 2 and 3 by stating 10.0.2.0/23 as the remote network.

If you have control over all involved site you should consider this when designing the networks.