OpenVPN client to remote IPsec network
-
OpenVPN clients -> pfSense -> IPsec remote network
LAN: 10.0.200.0/24
OpenVPN clients: 10.0.201.0/24
Remote IPsec network: 10.0.202.0/24I have a pfSense router with OpenVPN and IPsec configured. I want OpenVPN clients (me, remotely working), to be able to access the remote IPsec network. But when I ping from an OpenVPN client to the IPsec remote network, the pings exit via the pfSense WAN interface with no encapsulation.
The IPsec connection is definitely working because I can access the remote IPsec network from local LAN IPs.
Both routers are pfSense. I have set up appropriate Phase 2 entries on both the local pfSense and the remote IPsec pfSense router. I've made sure the firewall rules pass the traffic.
I found documentation about IPsec and traffic from the firewall itself and how you need to do a trick to fake it out by setting up a gateway and static route to prevent packets from exiting via the WAN. Figuring this might apply to my situation too, I tried something like that solution, where destination 10.0.202.0/24 traffic is forwarded to a gateway set to the firewall's LAN IP 10.0.200.1, but this caused a routing loop with ICMP exceeded responses to the OpenVPN client.
Various threads around here make it sound like all that's required are the Phase 2 entries I set up, but it's not working for me.
One oddity I noticed that may provide a clue is that the IPsec Status > SPD tab on the local pfSense shows no entries for the OpenVPN 10.0.201.0/24 network, which isn't expected. But the IPsec remote pfSense does show the entries, as expected.
Any ideas?
-
@scurrier It's inexplicably working now. Maybe one of the NAT changes I made took after I tested it earlier. I will explore more later and see if I can report back on what the issue was.
-
The problem was indeed the NAT/BINAT setting in the associated phase 2. When I set it to a single IP address, the traffic exits the local pfSense via the WAN. When I set it to None, the tunnel works but without the NAT obviously. How do I enable NAT correctly here?