Routing openVPN traffic through specific ipsec tunnels

cmb

You need that second phase 2 on both sides. You won't get a "start" button on the IPsec status page for any phase 2 where the firewall doesn't have a local IP on that subnet on an interface, as all that button does is trigger a ping to something within the remote subnet to cause the tunnel to attempt to negotiate. Just initiate some traffic from a client matching the additional P2 to bring it up.

eblaster101

Thanks guys it worked! :)

I added the second phase2 as you said, and added a manual route to the clients network on my desktop (connected via openvpn) and started pinging it and it came up.

Thank you for all your help, now I need to go change all these public addresses to private :(

treuss

Hi everyone,

we're currently building an OpenVPN infrastructure very similar to what @eblaster101 described initially.
In our scenario, there are 5 networks and a number of road warriors who need VPN access to these 5 networks:

192.168.75.0/24 is the network our road warriors will connect to via OpenVPN.
192.168.220.0/24 is the OpenVPN tunnel network.

192.168.71.0/24,
192.168.72.0/24,
192.168.73.0/24 and
192.168.74.0/24 are connected to 192.168.75.0/24 using IPsec site-to-site tunnels.

Here's a little sketch: https://db.tt/6V4SGVKi (the green line symbolizes the required access)

We configured OpenVPN so routes to 192.168.7[1-4].0/24 will be pushed to the clients. On my client machine, I can see these routes, using the tun0 interface and 192.168.220.1 as gateway for the networks 192.168.7[1-4].0/24.
OpenVPN itself works very well, I can reach addresses inside of 192.168.75.0/24. What doesn't work until today is reaching any address in one of the networks connected via IPsec, e.g. 192.168.72.1. Obviously, there's some issue between the OpenVPN target network 192.168.220.0/24 and the IPsec tunnels. We already configured Phase 2 of one of these IPsec tunnels, as described by @marvosa in order to route 192.168.220.0/24, without success.

Now, I'm wondering if there's still something we might have missed out. Any help is highly appreciated!

Thomas

Derelict

What are the firewall rules on your OpenVPN tab Firewall > Rules, OpenVPN tab.

Are there IPsec P2 entries for:

192.168.71.0/24 to 192.168.75.0
192.168.72.0/24 to 192.168.75.0
192.168.73.0/24 to 192.168.75.0
192.168.74.0/24 to 192.168.75.0

treuss

Our Firewall currently allows any traffic on the OpenVPN tab. There are no limitations (except IPv4).
We left it this way when we ran into trouble accessing the other networks.

Derelict

You still need IPsec phase 2 entries in your IPsec for the OpenVPN destinations.

treuss

Problem solved. Routing works now very well. Thanks again to everyone for your help!  :)

~~Hi,

sorry for the delay and thank you very much for the hint!
Just some hours ago we were able to ping machines behind the IPsec tunnel via OpenVPN. We accomplished it as you suggested by adding the appropriate rule in phase 2.

Now, unfortunately, we're facing a weird behaviour: As soon as there's traffic over the new (second) Phase 2 rule, the old (first) IPsec connection suddenly breaks and the target site is only reachable via OpenVPN. 
Why is it that these two phase 2 rules seem to be mutually exclusive?

Best regards
Thomas~~

Derelict

You have IPsec and OpenVPN tunnels to the same sites?

treuss

It was for sure not easy, but we finally got the stuff working thanks to your help.  :)

totalimpact

Can you give any notes on this setup, did you need to create static routes on the remote ipsec routers to point to the openvpn subnet?