Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    4 peer to peer OPVN tunnels 1 IPSEC 1 Client OPVN tunnel issue to IPSEC

    Scheduled Pinned Locked Moved IPsec
    6 Posts 2 Posters 532 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      philip.abraham
      last edited by

      Hello all i am hoping someone will be able to provide me insight into what i may need to look at. I currently have 1 main VPN fw where all my tunnels come into. 4 of my tunnels are peer to peer with PFSense boxes on each side all using ovpn and work great. all peer to peer networks can talk to each other and clients behind them. I also have clients (IOS/Android devices connected to main VPN FW) they can all also talk to each peer to peer tunnel and the devices behind them. I had to build an IPSEC tunnel today as the device on the other end didnt support openvpn, the tunnel came up fine my local PFsense main FW LAN can talk to anything on the IPSEC tunnel, but none of my other peer to peer tunnels can nor can my ovpn (IOS/Android) devices cannot talk to the ipsec tunnel. I have put any any rules on all opt interfaces, ovpn and ipsec just to ensure it wasnt a rule issue but still no luck. Any advice on what to check would be greatly appreciated it.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @philip.abraham
        last edited by

        @philip-abraham
        You would need to create IPSec phase 2 for all the remote networks und the access server tunnel network. However, this has also be done on the remote IPSec endpoint, but I suspect this is not under your control?
        Also you need to add the IPSec remote network to the OpenVPN configuration to add the routes properly.

        If you want to access a single device on the remote site, you can nat the traffic. But if you need bidirectional access you have to configure full routing between all site.

        P 2 Replies Last reply Reply Quote 0
        • P
          philip.abraham @viragomann
          last edited by

          @viragomann I do actually currently have access to the remote device and should until its configured. I think what you said clarifys it for me a bit. Thank you for the help. will update

          1 Reply Last reply Reply Quote 0
          • P
            philip.abraham @viragomann
            last edited by

            @viragomann I actually changed the phase 2 settings to my OPT1 interface which is where my android and ios clients connect and it worked. so i think its because i had it on lan first and to your point i needed to create a Phase2 for all the other networks

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @philip.abraham
              last edited by

              @philip-abraham
              Hint: If your subnets are subsequently or within a small range, you can cover them all with a single phase 2.

              Say
              LAN: 10.15.64.0/24
              P2P1: 10.15.68.0/24
              P2P2: 10.15.69.0/24
              P2P3: 10.15.70.0/24
              P2P4: 10.15.71.0/24
              VPN access server tunnel: 10.15.75.0/24

              So you could route them all with a single phase 2, where you state 10.15.64.0/20 as your sites network.

              P 1 Reply Last reply Reply Quote 0
              • P
                philip.abraham @viragomann
                last edited by

                @viragomann Good Call

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.