Accessing IPsec branch office from an OpenVPN client
-
Hi, all.
I have an IPsec VPN between HQ (10.10.0.0) and the Data Centre (172.17.12.0), and I have OpenVPN clients (10.0.9.0) that connect to HQ.
The problem is that the OpenVPN users cannot currently access servers at the DC. Do I need to add a new Phase 2 config for the 10.0.9.x subnet that the OpenVPN clients are using?
HQ <–ipsec--> Data Centre
/
|
OpenVPN
|
/
Home -
Yes, you need a Phase 2 on both ends of the IPsec tunnel to cover the 10.0.9.0/24 <-> 172.17.12.0/24 path
-
And a:
push "route 10.0.9.0 255.255.255.0"
In the OpenVPN server config right?
And firewall rules on the OpenVPN server interface that passes traffic to 10.0.9.0/24…
-
A pushed route would be for 172.17.12.0 - that may or may not be needed, depends on the client settings. If it's already forwarding everything across the VPN that wouldn't be necessary.
-
Of course I get the networks backwards. Thanks.
-
Yes, you need a Phase 2 on both ends of the IPsec tunnel to cover the 10.0.9.0/24 <-> 172.17.12.0/24 path
Do I need a 2nd Phase 2 on the HQ end as well? That will be exactly the same as the existing one, as the DC end it all one subnet.
-
A Phase 2 entry must be defined on both sides of an IPsec tunnel, so yes you'll need that P2 on both the HQ and DC routers
-
But the HQ end is the same for both and I can't create two Phase-two's the same.
HQ DC
10.10.0.0/24 172.17.12.0/24
10.0.9.0/24 -
It's not the same.
On the HQ IPsec tunnel you will need:
10.10.0.0/24 to 172.17.12.0/24
10.0.9.0/24 to 172.17.12.0/24On the DC IPsec tunnel you will need:
172.17.12.0/24 to 10.10.0.0/24
172.17.12.0/24 to 10.0.9.0/24Each possible path for traffic on IPsec needs to be defined in a Phase 2.
-
That's what I don't understand though. Here's what I have:
HQ End
Phase-I: The DC public IP
Phase-II: The DC private IP - 172.17.12.0/24 - there is no reference to the internal HQ IP rangeDC End
Phase-I: The HQ public IP
Phase-II: The HQ private IP 10.10.0.0/24So following on from what I have, the only place where I see a 10.10.0.0 where I might need to add a 10.0.9.0 is the DC's Phase-II. Everything about a second HQ Phase II would be the same as what's there already.
-
You can have multiple Phase 2 entries per Phase 1
Just clone the existing P2 entry and change the network to refer to the OpenVPN subnet.
-
Aah, cool I'll try that. I was confused by the "you need a Phase 2 on both ends".
I'll try this.
I assume I'll have to push the 172.17.12.0/24 route to the OpenVPN clients too.
-
You do need the Phase 2 defined on both ends though - your screenshot only shows the second P2 on the DC, you also need that on HQ, just change "LAN" to the OpenVPN subnet.
And unless you have the OpenVPN client route all traffic across while connected, yes you'll need to push a route.
-
It worked! Thank you for your patience! I didn't even think to change the "LAN" part of that config. I was kind of assuming that once you're VPN'd in, you're part of the LAN.
