Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port Forward from OpenVPN to IPSEC

    Scheduled Pinned Locked Moved
    NAT
    2
    3
    190
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sysman
      last edited by

      Hi everyone,
      Here's the situation: I'm managing a pfSense instance configured with three interfaces - WAN, LAN (192.168.190.0/24), and an OpenVPN setup for roadwarrior clients (172.16.0.0/24 subnet) with routing to the LAN.

      I need enabling these OpenVPN clients to connect to a couple of hosts on a remote subnet (10.0.0.0/24), which is connected via IPSec Site-to-Site (S2S) between my pfSense and a firewall (let's call it FW02) owned by another company. Both 172.16.0.0/24 (OVPN) and 10.0.0.0/24 (IPSEC) are connected to the LAN interface (192.168.190.0/24) . There is no direct routing between OVPN and IPSEC. I thought I could link some hosts beetween the two with a Port Forward on the LAN, but so far my configurations have been unsuccessful.
      Is a NAT/Port Forward feasible or do I absolutely need to route OVPN subnet through the IPSEC?

      Can you please point me in the right direction?
      The scheme would be:
      OVPN -> LAN -> NAT/PAT -> IPSEC

      Thanks

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @Sysman
        last edited by

        @Sysman said in Port Forward from OpenVPN to IPSEC:

        I thought I could link some hosts beetween the two with a Port Forward on the LAN

        This might work if also do masquerading on them. But this seems to be a dirty workaround.

        Is a NAT/Port Forward feasible or do I absolutely need to route OVPN subnet through the IPSEC?

        I assume, you have a policy based IPSec. So yes, it could be routed and natted over an additional LAN host, but the clean solution is to add a phase 2 for the OpenVPN tunnel.

        If you cannot make changes the remote site you can try to nat the traffic in an additional phase 2 to an IP out of the LAN subnet, but this isn't accepted by all IPSec implementations.

        S 1 Reply Last reply Reply Quote 1
        • S
          Sysman @viragomann
          last edited by

          @viragomann That Worked!

          Thanks a lot ✌

          1 Reply Last reply Reply Quote 0
          • First post
            Last post