Accessing IPsec branch office from an OpenVPN client

jimp

Yes, you need a Phase 2 on both ends of the IPsec tunnel to cover the 10.0.9.0/24 <-> 172.17.12.0/24 path

Derelict

And a:

push "route 10.0.9.0 255.255.255.0"

In the OpenVPN server config right?

And firewall rules on the OpenVPN server interface that passes traffic to 10.0.9.0/24…

jimp

A pushed route would be for 172.17.12.0 - that may or may not be needed, depends on the client settings. If it's already forwarding everything across the VPN that wouldn't be necessary.

Derelict

Of course I get the networks backwards.  Thanks.

Cylindric

@jimp:

Yes, you need a Phase 2 on both ends of the IPsec tunnel to cover the 10.0.9.0/24 <-> 172.17.12.0/24 path

Do I need a 2nd Phase 2 on the HQ end as well? That will be exactly the same as the existing one, as the DC end it all one subnet.

jimp

A Phase 2 entry must be defined on both sides of an IPsec tunnel, so yes you'll need that P2 on both the HQ and DC routers

Cylindric

But the HQ end is the same for both and I can't create two Phase-two's the same.

HQ            DC
10.10.0.0/24  172.17.12.0/24
10.0.9.0/24

jimp

It's not the same.

On the HQ IPsec tunnel you will need:

10.10.0.0/24 to 172.17.12.0/24
10.0.9.0/24 to 172.17.12.0/24

On the DC IPsec tunnel you will need:

172.17.12.0/24 to 10.10.0.0/24
172.17.12.0/24 to 10.0.9.0/24

Each possible path for traffic on IPsec needs to be defined in a Phase 2.

Cylindric

That's what I don't understand though. Here's what I have:

HQ End
Phase-I: The DC public IP
Phase-II: The DC private IP - 172.17.12.0/24 - there is no reference to the internal HQ IP range

DC End
Phase-I: The HQ public IP
Phase-II: The HQ private IP 10.10.0.0/24

So following on from what I have, the only place where I see a 10.10.0.0 where I might need to add a 10.0.9.0 is the DC's Phase-II. Everything about a second HQ Phase II would be the same as what's there already.

jimp

You can have multiple Phase 2 entries per Phase 1

Just clone the existing P2 entry and change the network to refer to the OpenVPN subnet.

Cylindric

Aah, cool I'll try that. I was confused by the "you need a Phase 2 on both ends".

I'll try this.

I assume I'll have to push the 172.17.12.0/24 route to the OpenVPN clients too.

jimp

You do need the Phase 2 defined on both ends though - your screenshot only shows the second P2 on the DC, you also need that on HQ, just change "LAN" to the OpenVPN subnet.

And unless you have the OpenVPN client route all traffic across while connected, yes you'll need to push a route.

Cylindric

It worked! Thank you for your patience! I didn't even think to change the "LAN" part of that config. I was kind of assuming that once you're VPN'd in, you're part of the LAN.