Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Accessing IPsec branch office from an OpenVPN client

    Scheduled Pinned Locked Moved OpenVPN
    14 Posts 3 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      Of course I get the networks backwards.  Thanks.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • C
        Cylindric
        last edited by

        @jimp:

        Yes, you need a Phase 2 on both ends of the IPsec tunnel to cover the 10.0.9.0/24 <-> 172.17.12.0/24 path

        Do I need a 2nd Phase 2 on the HQ end as well? That will be exactly the same as the existing one, as the DC end it all one subnet.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          A Phase 2 entry must be defined on both sides of an IPsec tunnel, so yes you'll need that P2 on both the HQ and DC routers

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • C
            Cylindric
            last edited by

            But the HQ end is the same for both and I can't create two Phase-two's the same.

            HQ            DC
            10.10.0.0/24  172.17.12.0/24
            10.0.9.0/24

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              It's not the same.

              On the HQ IPsec tunnel you will need:

              10.10.0.0/24 to 172.17.12.0/24
              10.0.9.0/24 to 172.17.12.0/24

              On the DC IPsec tunnel you will need:

              172.17.12.0/24 to 10.10.0.0/24
              172.17.12.0/24 to 10.0.9.0/24

              Each possible path for traffic on IPsec needs to be defined in a Phase 2.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • C
                Cylindric
                last edited by

                That's what I don't understand though. Here's what I have:

                HQ End
                Phase-I: The DC public IP
                Phase-II: The DC private IP - 172.17.12.0/24 - there is no reference to the internal HQ IP range

                DC End
                Phase-I: The HQ public IP
                Phase-II: The HQ private IP 10.10.0.0/24

                So following on from what I have, the only place where I see a 10.10.0.0 where I might need to add a 10.0.9.0 is the DC's Phase-II. Everything about a second HQ Phase II would be the same as what's there already.

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  You can have multiple Phase 2 entries per Phase 1

                  Just clone the existing P2 entry and change the network to refer to the OpenVPN subnet.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • C
                    Cylindric
                    last edited by

                    Aah, cool I'll try that. I was confused by the "you need a Phase 2 on both ends".

                    I'll try this.

                    I assume I'll have to push the 172.17.12.0/24 route to the OpenVPN clients too.

                    screenshot.PNG
                    screenshot.PNG_thumb

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      You do need the Phase 2 defined on both ends though - your screenshot only shows the second P2 on the DC, you also need that on HQ, just change "LAN" to the OpenVPN subnet.

                      And unless you have the OpenVPN client route all traffic across while connected, yes you'll need to push a route.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • C
                        Cylindric
                        last edited by

                        It worked! Thank you for your patience! I didn't even think to change the "LAN" part of that config. I was kind of assuming that once you're VPN'd in, you're part of the LAN.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.