Client Export to OpenVPN Site to IPSec
-
I just added the 10.0.10.0/24 at site A (192.168.20.250) in the IPv4 Remote Networks like you said. Site A changed to:
Destination Gateway Flags Use Mtu Netif Expire
10.0.8.0/24 10.0.8.1 UGS 0 1500 ovpns1
10.0.8.1 link#7 UHS 0 16384 lo0
10.0.8.2 link#7 UH 0 1500 ovpns1
10.0.9.0/24 10.0.9.1 UGS 0 1500 ovpns2
10.0.9.1 link#8 UHS 0 16384 lo0
10.0.9.2 link#8 UH 139201 1500 ovpns2
10.0.10.0/24 10.0.8.2 UGS 0 1500 ovpns1
…
192.168.20.0/24 link#2 U 276518 1500 em1
192.168.20.250 link#2 UHS 0 16384 lo0
192.168.30.0/24 10.0.8.2 UGS 706 1500 ovpns1Site B seems to remain the same:
Destination Gateway Flags Use Mtu Netif Expire
10.0.8.0 link#8 UHS 0 16384 lo0
10.0.8.0/24 10.0.8.0 UGS 0 1500 ovpnc1
10.0.8.1 link#8 UH 0 1500 ovpnc1
10.0.9.0/24 10.0.8.1 UGS 493 1500 ovpnc1
10.0.10.0/24 10.0.10.1 UGS 0 1500 ovpns2
10.0.10.1 link#7 UHS 0 16384 lo0
10.0.10.2 link#7 UH 7764 1500 ovpns2
...
192.168.20.0/24 10.0.8.1 UGS 156 1500 ovpnc1
192.168.30.0/24 link#2 U 52051 1500 em1
192.168.30.250 link#2 UHS 0 16384 lo0 -
The routing tables seem to be well now. Any success?
-
Unfortunately no success. I have the same result.
My mobile client at 10.0.10.0/24 will not be able to go to 192.168.20.0/24. Can only go to 192.168.30.0/24 (and IPSec tunnels).
I tried something out as well. I disabled the Ipsec tunnels on Site B (192.168.30.250) but the same result that I cannot go to 192.168.20.0/24
What is funny is that if I RDP to a PC on 192.168.30.0/24, inside that PC, I can connect to all networks. Just the mobile client is the one with the problem.
No clue as to what to try next.
-
Okay, since routes and firewall rules are well, maybe you have miss-configured the VPN interfaces. Have you assigned a particular interface to each OpenVPN instance (each server and client instance)? This is crucial for routing between multiple VPN instances.
If you haven't already, on both sites go to interface > assign, select a VPN instance under "Network port", click Add, then open the new interface and activate it. You can give it a meaningful name. Do this for each OpenVPN instance on both nodes. Now in Firewall > rules the new interfaces are shown as particular tabs and you have to define the needed firewall rules there.
-
I can only do this at Site B (192.168.30.250) for the time being as my office is now working. Site A is the main VPN Server that connects to all the other offices so can't be testing configurations. I will try this out in about 14 hours. For the time being, I have a a few question on this.
For Site B (192.168.30.250)
-
What should I configure on the OPT1 on IPv4 Configuration Type?
-
Should it be Static IPv4 with IP 10.0.10.250 / 24?? 250 to be consistent with the other Sites.
-
Should the Gateway be set to None?
-
What should I configure on the OPT2 on IPv4 Configuration Type?
-
Should it be Static IPv4 with IP 10.0.8.250 / 24?? 250 to be consistent with the other Sites.
-
Should the Gateway be set to None?
-
But if I set OPT2 to 10.0.8.250, what about the other sites? Will it matter to have the same IP at other sites?
None the less, I have just set it up like this in Site B (192.168.30.250). But no success. Again the same result. :(
The routing table is now:
Destination Gateway Flags Use Mtu Netif Expire
10.0.8.0 link#8 UHS 0 16384 lo0
10.0.8.0/24 10.0.8.0 UGS 0 1500 ovpnc1
10.0.8.1 link#8 UH 0 1500 ovpnc1
10.0.9.0/24 10.0.8.1 UGS 0 1500 ovpnc1
10.0.10.0/24 10.0.10.1 UGS 0 1500 ovpns2
10.0.10.1 link#7 UHS 0 16384 lo0
10.0.10.2 link#7 UH 1969 1500 ovpns2
…
192.168.20.0/24 10.0.8.1 UGS 231 1500 ovpnc1
192.168.30.0/24 link#2 U 260449 1500 em1
192.168.30.250 link#2 UHS 0 16384 lo0So it is back to being the same. I ensured that OPT1, OPT2 and OpenVPN firewall rules are all setup like this:
Protocol Source Port Destination Port Gateway Queue Schedule
IPv4 * * * * * * noneSo this is awkward. :o
I am wondering if it will make a difference wen I change Site A as I have just made a bunch of changes in Site B achieving the same result. So I am wondering if I should play around with Firewall Nat Outbound Mappings?? Currently these are set to automatic and have two created:
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
WAN 127.0.0.0/8 192.168.30.0/24 10.0.10.0/24 10.0.8.0/24 * * 500 WAN address * Auto created rule for ISAKMP
WAN 127.0.0.0/8 192.168.30.0/24 10.0.10.0/24 10.0.8.0/24 * * * WAN address * Auto created rule -
-
There are no settings to be made in the interface config. Just activate and save it, no IP config. But it's recommended to give it a more meaningful name as "OPT1".
This gives pfSense the availability to handle the VPN interfaces separately instead as an interface group. This doesn't effect any changes in the routing table.
It's also conceivable to do NAT on an OpenVPN interface at site B, maybe it's easier to solve this issue, but a would prefer the routing method cause its more clean.
For troubleshooting you can use the packet capture tool of pfSense from the Diagnostic menu. Try to access a host in LAN A from a mobile vpn client connected to site B while you do a packet capture at site As LAN interface. If you can see nothing, try the site-to-site VPN interface. Since the routes are well, the packets should arrive there.
-
Ok. So I have applied the Interface and Firewall (allow all) settings for both sites A and B. See screenshots attached for the confirmation. Weird how the MAINVPN tunnel is offline at Site A. Not sure if that is normal? But all is working from Site A to it's connections.
On Site B (192.168.30.250), all seems to be ok in regards to all interfaces being online. Again, see screenshot. But now I have a new problem:
-
From the Mobile connection, I can't go to Site A (192.168.20.250). I can go to all Ipsec sites without an issue and also to 192.168.30.0/24 LAN.
-
From within the LAN connection, I can go to Site A (192.168.20.250) without an issue and of course also to the LAN 192.168.30.0/24. But I can no longer go to any IPSec Site even though the 20 tunnels are online. So we have gotten this as a new problem
I have rebooted both sites pfsenses to ensure there was nothing weird. I ensured that all routes worked from Site A to all other Sites. So I expect no issues in my working offices. No problem should be reported on Site A. Nevertheless, all here is pfsense with OpenVPN connecting to other OpenVPNs so no issues are happening.
Seems that all the problem is at Site B. :o
I did try the packet capture. But not sure what you want me to report back.
![192.168.20.250 after.png](/public/imported_attachments/1/192.168.20.250 after.png)
![192.168.20.250 after.png_thumb](/public/imported_attachments/1/192.168.20.250 after.png_thumb)
![192.168.30.250 after.png](/public/imported_attachments/1/192.168.30.250 after.png)
![192.168.30.250 after.png_thumb](/public/imported_attachments/1/192.168.30.250 after.png_thumb) -
-
Anyone has any clue on this?
-
Hi!
I hope I got your problem (I'm in a bit of a hurry ;) )
I've got similar setup up with OpenVPN connected sites and users which needed to be routed into a IPSEC subnet.
This is how it was solved.-
Setup a gateway on LAN interface which points to the LAN interface IP
-
Create a route for the IPSEC subnet which point to the LAN gateway
-
Define all subnets as 2nd phases on the IPSEC connection
-
Make sure the opposing side of the IPSEC connection allow the incoming subnet you have.
This made it work for me. All OpenVPN road warriors and OpenVPN connected site-to-site are able to get traffic routed through the IPSEC tunnel.
Don't know if there is another way or solved differently on later versions. This config is on pfSense 2.2.4
Brgs,
-
-
Hi iorx,
The OpenVPN road warrior can go to all the LAN where it is connected to as well as all the Ipsec tunnels. Where I have a problem is that the OpenVPN road warrior cannot go to other OpenVPN site-to-sites…Regards,
Carlos