Route inbound WAN traffic to server on remote tunneled network
-
Traffic still has to match the P2 to enter or exit the tunnel, and the far side still has to send the replies back the way they entered. The only way to make that happen properly with tunneled IPsec is with a P2 for 0.0.0.0/0 to the device.
EDIT: And with VTI the far side still has to send the reply back the right way, which won't happen without something like
reply-toin pf which who knows if cradlepoint has anything like that. -
@johnpoz You may be right with the Cradlepoint not returning traffic, I haven't been able to get traffic to it yet to see. When i capture the IPSEC tunnel on the far end, i don't see any traffic unless i originate from the near end LAN.
-
I am probably in way over my head here, but would it be possible to use OpenVPN? I'm pretty sure you can accomplish the reverse route with an iroute statement in the client specific overrides on the server side.
-
@bfeitell I don't know much about OpenVPN, but I believe it takes a client app on the far end, correct? One of the limitations on this is that the device I'm trying to reach is a hardware device, not computer. So the router at the far end has to make the connection.
-
It works great on pfSense with OpenVPN on both ends, you can port forward across and on the remote side you can have an assigned OpenVPN interface which will send the replies back because
reply-toworks fine.But the remote here is a cradlepoint device so...
-
Pretty sure cradlepoints supports both openvpn as server or client.
https://knowledgebase.cradlepoint.com/articles/Support/Series-3-OpenVPN-Client-Server-Configuration -
@johnpoz said in Route inbound WAN traffic to server on remote tunneled network:
Pretty sure cradlepoints supports both openvpn as server or client.
https://knowledgebase.cradlepoint.com/articles/Support/Series-3-OpenVPN-Client-Server-ConfigurationSure but it would also need something like
reply-toor the replies will go back the wrong way (out the cradlepoint WAN) -
Not sure on that...
Couldn't you just have the cradlepoint bring up another ipsec tunnel to your other location?
-
@johnpoz The Cradlepoint is a MBR1200v1 ...unfortunately, it doesn't support the OpenVPN. I am checking into whether we can obtain an MBR1400. It sounds from reading through the VTI info that it would indeed function just like an interface. I need to continue experimenting with that and why I can't get the SAs to come up using VTI.
I'm guessing the reason "tunnel" mode won't route from the WAN is the SPD that is being written:
This is allowing traffic through the tunnel from my endpoint to the far endpoint provided it's source is 192.168.0.0/18.
-
what about just bring up another ipsec tunnel to the other location(s) that would need to access?
