Openvpn routing issue
-
After the flood in the days of Noah, the Gods, forbade their sons from sleeping with the daughters of man. Thus, mixing of their DNA with that of human DNA was and still is a very big no, no!
Then and therefore…IPSEC != OpenVPN. The Gods have forbidden it.
Thats why I said either your solution will be IPSEC server for IPSEC clients or it will be OpenVPN Server for OpenVPN Clients.
Your network should look like this....
[LAN] –[PFSENSE OPENVPN SITE A]– (Internet) --[PFSENSE OPENVPN SITE B]– [LAN]
I believe after you set up the site to site OpenVPN tunnel, you'll have to setup another OpenVPN server tunnel for clients to connect…either to Site A or Site B, your choice.
That way, you should be able to push routes no problem between networks. Aside from that, my feeling is that IPSEC is not compatible with OpenVPN and we really ought to make it as simple as possible.
Now c'mon guys...do I really have to resort to something like Kerio Winroute or Wingate? These things do work, but it's just not the same.
-
Hi Jits,
Your your saying replace my IPSEC tunnel with an openVPN site-site tunnel?
-
OpenVPN is an SSL based VPN. It isn't IPsec and doesn't work with IPsec endpoints.
Time to take baby steps ;)
-
Can pfSense1 ping the LAN interface of pfSense2? What about the other way around?
a) If that doesn't work then your IPsec tunnel is the problem -
Can a host on the pfSense1 LAN ping the LAN interface of pfSense2? What about the other way around?
a) If that doesn't work then routing or firewall configuration is the problem
-
-
Hi Cry Halvok,
I think you have misunderstood me.
I have a relativley good knowledge of VPNs and networking.Where have I said that I have tried to connect an openvpn client to an ipsec endpoint?
My IPSEC tunnel works fine and has been for a year or so (hosts connected to pfsense1 can ping hosts connected to pfsense 2 and vice versa) - the only exception to this rule is that by loging into the shell of either pfsense box, the other lan isn't reachable (But this is just "on the side")
My issue is simple:
I can't make my openvpn client ping a host connected to pfsense 2 (via routing through the ipsec tunnel)
-
Right, so then it would make sense then for you to setup a parallel VPN, if thats possible.
You've got IPSEC and that works fine, now it appears you'll have to setup Open VPN site to site.
Then your OpenVPN clients should function, but what version of PFsense are you using? -
Does pfSense2 know how to route traffic back to the OpenVPN subnet(s)? Remember, no NAT occurs on the OpenVPN interfaces so you have to ensure that the routes are known.
-
Hi Cry,
I'm honesty not sure how to use netstat properly on BSD (Can use "route" ok on Linux but pfsense is not Linux :D)
What is the command to check?
What is weird is that all hosts connected to pfsense2 use it as their default gateway and can access the other end of the IPSEC tunnel just fine. This is what beats me. I can only assume that it does know how (otherwise it woudn't be able to help the other hosts) but I dunno…
:)
-
ok I did a netstat -rn on pfsense2 (which has a local LAN subnet of 10.87.1.0/24):
Internet:
Destination Gateway Flags Refs Use Netif Expire
default xx.xx.xx.xx UGS 0 21657900 vr0
10.87.1.0/24 link#4 UC 0 0 rl0
10.87.1.1 00:00:b5:6b:d9:91 UHLW 1 0 lo0
10.87.1.10 00:11:32:04:04:b7 UHLW 1 212 rl0 622
10.87.1.21 00:50:ba:fb:ed:de UHLW 1 3127 rl0 977
10.87.1.22 00:1a:4d:53:f2:08 UHLW 1 30910 rl0 1052
10.87.1.24 00:40:10:20:00:03 UHLW 1 8993 rl0 210
10.87.10.0/24 10.87.10.2 UGS 0 0 tun0
10.87.10.2 10.87.10.1 UH 1 0 tun0
10.87.11.0/24 10.87.11.2 UGS 0 40016 tun1
10.87.11.2 10.87.11.1 UH 1 0 tun1
xx.xx.xx.x/22 link#3 UC 0 0 vr0
xx.xx.xx.xx 00:06:2a:ce:38:01 UHLW 2 65 vr0 413
xx.xx.xx.xx 127.0.0.1 UGHS 0 0 lo0
127.0.0.1 127.0.0.1 UH 1 141721 lo0It apperas that pfsense 1's LAN subnet (10.87.0.0/24) does not appear in the list. How would I add this? I just find it very strange that hosts using pfsense2 as a default gateway can reach pfsense1's subnet.
-
Does the default gateway (that you've blanked out) know how to reach the pfSense1 subnet? That would explain your last statement.
As for adding it, do it through the pfSense GUI on pfSense2. I'm nowhere near mine right now so can't provide pointers.
-
Hi Cry,
No it doesn't. The one I've blanked out is the ISP's gateway (which is on pfsense 2's WAN).
Still confused about how the other hosts connected to pfsense2 can reach the pfsense1 subnet