Openvpn routing issue

jonnytabpni

Hi Cry Havok,

That an interesting point.

Ok so this is a bit of background on my setup.

I have a dual WAN connected to my pfsense box. The openvpn clients have an outbound NAT rule which lets them use the web (When redirect-gateway is enabled) via the pfsense WAN interface. My pfsense WAN interface is using PPPoE.

I have an OPT1 which is using a double NAT setup. I was trying to ping the modem-router infront of the OPT1 interface from my openvpn client (by pushing it's route to my openvpn clients).

So, shoudn't this be natted correctly? The weird thing is, is that other machine (on the local network) which have firewall/NAT rules to make them go out the WAN interface, they can ping the modem-router infront of OPT1.

If this doesn't make sense, please let me know and I'll post a drawing.

Cheers

jonnytabpni

does anybody have a solution to this?

I can't route traffic from my openvpn client to a host connect via IPSEC at another site.

I'm trying to do:

[OpenVPN Client]–---------->[pfsense1]–------------>[pfsense2 connect via ipsec to pfsense1]

If i try and ping a host connected locally to pfsense2 and try and use tcpdump, the packets arn't even reaching pfsense2 which leads me to belive that it is pfsense 1….

P.S. You can safely ignore my previous post as it is over-complicated and I'm just trying something simplier now...

jits

:-\ You are not alone my friend. I have the same problem. In order for our client offices to use their business software, vpn must be able to cross networks to the license server. Sadly, when I ask about this, it's as if I've suddenly learnt to speak Chinese.

I was using smoothwall IPSEC with OpenVPN for clients and could not get any joy.

I am now playing with PFsense, but it looks like I'll have to wait for a stable release before I can get joy. So, in the meantime, I'm trying to do it with Vyatta, but I don't have that much time to type commands all day and night. I'm not loving it at all.

I think the solution is more reading and either a IPSEC server for IPSEC clients or OpenVPN Server, site to site, plus OpenVPN clients.

I really hate to say it, but either Microsoft or Cisco may already have a solution because they have the resources to think of these scenarios far into the future and besides enterprise and corporate clients have probably resolved such situations.

And since I don't have the money or resources available to me, I get to sit down and scratch.

jonnytabpni

Hi jits,

I'm just after setting up my openvpn server as a seperate server and im STILL having the same problem.

My setup now looks like:

[openvpn client]–------>[openvpn server]–---------->[pfsense1 (with static route)]–----IPSEC------>[pfsense2 (with static route)]

same problem occurs.

I have noticed that pfsense1 isn't able to ping any hosts behind pfsense 2 (however hosts local to pfsense1 can…)

jonnytabpni

I think this boils down to the fact that the IPSEC interface seems to somewhat be "seperate" from the static routing section…

The fact that both pfsense shells can't ping hosts on the respective other side of the IPSEC vpn (nothing to do with the openvpn link) says something...

Cry Havok

OpenVPN != IPsec ;)

It sounds like a routing problem and I'd suggest you read the OpenVPN documentation on the OpenVPN website.  Problems like your describing usually come down routing problems.

Is the pfSense host the default gateway for each network.  If not do the hosts know that they need to use the pfSense host as a route to the remote subnet.  At the remote end, do the hosts know the route back?

I use OpenVPN for remote access and tunnels.  By following the documentation I had no trouble getting it working.  If you haven't already read the documentation (How-To and FAQ in particular) on the OpenVPN site I'd suggest you do that now.

jonnytabpni

Hi Cry Halvok,

I have read the OpenVPN docs and I can't find anything relating to this problem.

I think it is pfsense which has this problem with using static routes and IPSEC tunnels.

Basically, if you have a static route telling pfsense2's local network how to get back to the openvpn client, it just ignores it (or at least ignor some allow rule along the way…).

Is there any reason why the pfsense shell can't use the ipsec tunnel?

BTW what do you mean by IPSEC != Openvpn?

I know that they are completly different types of VPN. But if you look at my network diagram, I am trying to let an openvpn client access a host connected to the opposite end of an IPSEC tunnel :)

P.S. To answer your question, yes, a pfsense box (wheather it be pfsense1 or pfsense2) is the default gateway for what respective network you are talking about.

jits

After the flood in the days of Noah, the Gods, forbade their sons from sleeping with the daughters of man. Thus, mixing of their DNA with that of human DNA was and still is a very big no, no!

Then and therefore…IPSEC != OpenVPN. The Gods have forbidden it.

Thats why I said either your solution will be IPSEC server for IPSEC clients or it will be OpenVPN Server for OpenVPN Clients.

Your network should look like this....

[LAN] –[PFSENSE OPENVPN SITE A]– (Internet) --[PFSENSE OPENVPN SITE B]– [LAN]

I believe after you set up the site to site OpenVPN tunnel, you'll have to setup another OpenVPN server tunnel for clients to connect…either to Site A or Site B, your choice.

That way, you should be able to push routes no problem between networks. Aside from that, my feeling is that IPSEC is not compatible with OpenVPN and we really ought to make it as simple as possible.

Now c'mon guys...do I really have to resort to something like Kerio Winroute or Wingate? These things do work, but it's just not the same.

jonnytabpni

Hi Jits,

Your your saying replace my IPSEC tunnel with an openVPN site-site tunnel?

Cry Havok

OpenVPN is an SSL based VPN.  It isn't IPsec and doesn't work with IPsec endpoints.

Time to take baby steps ;)

1. Can pfSense1 ping the LAN interface of pfSense2?  What about the other way around?
   a) If that doesn't work then your IPsec tunnel is the problem

2. Can a host on the pfSense1 LAN ping the LAN interface of pfSense2?  What about the other way around?
   a) If that doesn't work then routing or firewall configuration is the problem

jonnytabpni

Hi Cry Halvok,

I think you have misunderstood me.
I have a relativley good knowledge of VPNs and networking.

Where have I said that I have tried to connect an openvpn client to an ipsec endpoint?

My IPSEC tunnel works fine and has been for a year or so (hosts connected to pfsense1 can ping hosts connected to pfsense 2 and vice versa) - the only exception to this rule is that by loging into the shell of either pfsense box, the other lan isn't reachable (But this is just "on the side")

My issue is simple:

I can't make my openvpn client ping a host connected to pfsense 2 (via routing through the ipsec tunnel)

jits

Right, so then it would make sense then for you to setup a parallel VPN, if thats possible.

You've got IPSEC and that works fine, now it appears you'll have to setup Open VPN site to site.
Then your OpenVPN clients should function, but what version of PFsense are you using?

Cry Havok

Does pfSense2 know how to route traffic back to the OpenVPN subnet(s)?  Remember, no NAT occurs on the OpenVPN interfaces so you have to ensure that the routes are known.

jonnytabpni

Hi Cry,

I'm honesty not sure how to use netstat properly on BSD (Can use "route" ok on Linux but pfsense is not Linux :D)

What is the command to check?

What is weird is that all hosts connected to pfsense2 use it as their default gateway and can access the other end of the IPSEC tunnel just fine. This is what beats me. I can only assume that it does know how (otherwise it woudn't be able to help the other hosts) but I dunno…

:)

jonnytabpni

ok I did a netstat -rn on pfsense2 (which has a local LAN subnet of 10.87.1.0/24):

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            xx.xx.xx.xx         UGS         0 21657900    vr0
10.87.1.0/24       link#4             UC          0        0    rl0
10.87.1.1          00:00:b5:6b:d9:91  UHLW        1        0    lo0
10.87.1.10         00:11:32:04:04:b7  UHLW        1      212    rl0    622
10.87.1.21         00:50:ba:fb:ed:de  UHLW        1     3127    rl0    977
10.87.1.22         00:1a:4d:53:f2:08  UHLW        1    30910    rl0   1052
10.87.1.24         00:40:10:20:00:03  UHLW        1     8993    rl0    210
10.87.10.0/24      10.87.10.2         UGS         0        0   tun0
10.87.10.2         10.87.10.1         UH          1        0   tun0
10.87.11.0/24      10.87.11.2         UGS         0    40016   tun1
10.87.11.2         10.87.11.1         UH          1        0   tun1
xx.xx.xx.x/22      link#3             UC          0        0    vr0
xx.xx.xx.xx         00:06:2a:ce:38:01  UHLW        2       65    vr0    413
xx.xx.xx.xx       127.0.0.1          UGHS        0        0    lo0
127.0.0.1          127.0.0.1          UH          1   141721    lo0

It apperas that pfsense 1's LAN subnet (10.87.0.0/24) does not appear in the list. How would I add this? I just find it very strange that hosts using pfsense2 as a default gateway can reach pfsense1's subnet.

Cry Havok

Does the default gateway (that you've blanked out) know how to reach the pfSense1 subnet?  That would explain your last statement.

As for adding it, do it through the pfSense GUI on pfSense2.  I'm nowhere near mine right now so can't provide pointers.

jonnytabpni

Hi Cry,

No it doesn't. The one I've blanked out is the ISP's gateway (which is on pfsense 2's WAN).

Still confused about how the other hosts connected to pfsense2 can reach the pfsense1 subnet