Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN client to remote IPsec network

    Scheduled Pinned Locked Moved IPsec
    3 Posts 1 Posters 387 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      scurrier
      last edited by

      OpenVPN clients -> pfSense -> IPsec remote network

      LAN: 10.0.200.0/24
      OpenVPN clients: 10.0.201.0/24
      Remote IPsec network: 10.0.202.0/24

      I have a pfSense router with OpenVPN and IPsec configured. I want OpenVPN clients (me, remotely working), to be able to access the remote IPsec network. But when I ping from an OpenVPN client to the IPsec remote network, the pings exit via the pfSense WAN interface with no encapsulation.

      The IPsec connection is definitely working because I can access the remote IPsec network from local LAN IPs.

      Both routers are pfSense. I have set up appropriate Phase 2 entries on both the local pfSense and the remote IPsec pfSense router. I've made sure the firewall rules pass the traffic.

      I found documentation about IPsec and traffic from the firewall itself and how you need to do a trick to fake it out by setting up a gateway and static route to prevent packets from exiting via the WAN. Figuring this might apply to my situation too, I tried something like that solution, where destination 10.0.202.0/24 traffic is forwarded to a gateway set to the firewall's LAN IP 10.0.200.1, but this caused a routing loop with ICMP exceeded responses to the OpenVPN client.

      Various threads around here make it sound like all that's required are the Phase 2 entries I set up, but it's not working for me.

      One oddity I noticed that may provide a clue is that the IPsec Status > SPD tab on the local pfSense shows no entries for the OpenVPN 10.0.201.0/24 network, which isn't expected. But the IPsec remote pfSense does show the entries, as expected.

      Any ideas?

      S 1 Reply Last reply Reply Quote 0
      • S
        scurrier @scurrier
        last edited by

        @scurrier It's inexplicably working now. Maybe one of the NAT changes I made took after I tested it earlier. I will explore more later and see if I can report back on what the issue was.

        1 Reply Last reply Reply Quote 0
        • S
          scurrier
          last edited by

          The problem was indeed the NAT/BINAT setting in the associated phase 2. When I set it to a single IP address, the traffic exits the local pfSense via the WAN. When I set it to None, the tunnel works but without the NAT obviously. How do I enable NAT correctly here?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.