Port Forward from OpenVPN to IPSEC

Sysman

Hi everyone,
Here's the situation: I'm managing a pfSense instance configured with three interfaces - WAN, LAN (192.168.190.0/24), and an OpenVPN setup for roadwarrior clients (172.16.0.0/24 subnet) with routing to the LAN.

I need enabling these OpenVPN clients to connect to a couple of hosts on a remote subnet (10.0.0.0/24), which is connected via IPSec Site-to-Site (S2S) between my pfSense and a firewall (let's call it FW02) owned by another company. Both 172.16.0.0/24 (OVPN) and 10.0.0.0/24 (IPSEC) are connected to the LAN interface (192.168.190.0/24) . There is no direct routing between OVPN and IPSEC. I thought I could link some hosts beetween the two with a Port Forward on the LAN, but so far my configurations have been unsuccessful.
Is a NAT/Port Forward feasible or do I absolutely need to route OVPN subnet through the IPSEC?

Can you please point me in the right direction?
The scheme would be:
OVPN -> LAN -> NAT/PAT -> IPSEC

Thanks

viragomann

@Sysman said in Port Forward from OpenVPN to IPSEC:

I thought I could link some hosts beetween the two with a Port Forward on the LAN

This might work if also do masquerading on them. But this seems to be a dirty workaround.

Is a NAT/Port Forward feasible or do I absolutely need to route OVPN subnet through the IPSEC?

I assume, you have a policy based IPSec. So yes, it could be routed and natted over an additional LAN host, but the clean solution is to add a phase 2 for the OpenVPN tunnel.

If you cannot make changes the remote site you can try to nat the traffic in an additional phase 2 to an IP out of the LAN subnet, but this isn't accepted by all IPSec implementations.

Sysman

@viragomann That Worked!

Thanks a lot