Routing openVPN traffic through specific ipsec tunnels
-
thanks for the advise guys, i will try creating a second tunnel and see how i get on.
You don't need a second tunnel. Just another route over the existing one.
i used to work for a large company which i believed had a good set-up
Funny how a lot of windows guys didn't know what an RFC was until it was too late.
-
I have had a look at old threads asking for the same thing and they all mention creating another tunnel. I have tried creating a second phase2 tunnel but it just fails to connect and for some reason the small play button near it wont appear.
As soon as i change the phase2 local network entry from LAN subnet to a manual network (10.0.8.0/24) the small play button disappears. I have entered the opposing entries on the juniper
derelict if i upload the config would you able to tell me the route i need so i can try that?
Thank you
-
When I was talking about a route I was talking about another phase 2. Poor choice of words.
-
You need that second phase 2 on both sides. You won't get a "start" button on the IPsec status page for any phase 2 where the firewall doesn't have a local IP on that subnet on an interface, as all that button does is trigger a ping to something within the remote subnet to cause the tunnel to attempt to negotiate. Just initiate some traffic from a client matching the additional P2 to bring it up.
-
Thanks guys it worked! :)
I added the second phase2 as you said, and added a manual route to the clients network on my desktop (connected via openvpn) and started pinging it and it came up.
Thank you for all your help, now I need to go change all these public addresses to private :(
-
Hi everyone,
we're currently building an OpenVPN infrastructure very similar to what @eblaster101 described initially.
In our scenario, there are 5 networks and a number of road warriors who need VPN access to these 5 networks:192.168.75.0/24 is the network our road warriors will connect to via OpenVPN.
192.168.220.0/24 is the OpenVPN tunnel network.192.168.71.0/24,
192.168.72.0/24,
192.168.73.0/24 and
192.168.74.0/24 are connected to 192.168.75.0/24 using IPsec site-to-site tunnels.Here's a little sketch: https://db.tt/6V4SGVKi (the green line symbolizes the required access)
We configured OpenVPN so routes to 192.168.7[1-4].0/24 will be pushed to the clients. On my client machine, I can see these routes, using the tun0 interface and 192.168.220.1 as gateway for the networks 192.168.7[1-4].0/24.
OpenVPN itself works very well, I can reach addresses inside of 192.168.75.0/24. What doesn't work until today is reaching any address in one of the networks connected via IPsec, e.g. 192.168.72.1. Obviously, there's some issue between the OpenVPN target network 192.168.220.0/24 and the IPsec tunnels. We already configured Phase 2 of one of these IPsec tunnels, as described by @marvosa in order to route 192.168.220.0/24, without success.Now, I'm wondering if there's still something we might have missed out. Any help is highly appreciated!
Thomas
-
What are the firewall rules on your OpenVPN tab Firewall > Rules, OpenVPN tab.
Are there IPsec P2 entries for:
192.168.71.0/24 to 192.168.75.0
192.168.72.0/24 to 192.168.75.0
192.168.73.0/24 to 192.168.75.0
192.168.74.0/24 to 192.168.75.0 -
Our Firewall currently allows any traffic on the OpenVPN tab. There are no limitations (except IPv4).
We left it this way when we ran into trouble accessing the other networks. -
You still need IPsec phase 2 entries in your IPsec for the OpenVPN destinations.
-
Problem solved. Routing works now very well. Thanks again to everyone for your help! :)
~~Hi,
sorry for the delay and thank you very much for the hint!
Just some hours ago we were able to ping machines behind the IPsec tunnel via OpenVPN. We accomplished it as you suggested by adding the appropriate rule in phase 2.Now, unfortunately, we're facing a weird behaviour: As soon as there's traffic over the new (second) Phase 2 rule, the old (first) IPsec connection suddenly breaks and the target site is only reachable via OpenVPN.
Why is it that these two phase 2 rules seem to be mutually exclusive?Best regards
Thomas~~ -
You have IPsec and OpenVPN tunnels to the same sites?
-
It was for sure not easy, but we finally got the stuff working thanks to your help. :)
-
Can you give any notes on this setup, did you need to create static routes on the remote ipsec routers to point to the openvpn subnet?
-
M mcit referenced this topic on
