OpenVPN can't communicate with IPsec tunnel



  • So i'm having an issue with my network
    i have a IPsec tunnel which works fine (192.168.40.0/24) with my local network (192.168.1.0/24)
    i have an openVPN which works (192.168.4.0/24)

    now … when i use openVPN, i can access the local network
    when i use local network i can access IPsec tunnel
    but i can not access IPsec tunnel when i use openVPN (ie from 192.168.4.2 -> 192.168.40.2)
    firewall or permissions aren't the problem because i can see it being allowed. i think there is a routing issue or setting issue of some sort

    any help would be appreciated


  • LAYER 8 Netgate

    Do you have an IPsec phase 2 entry for 192.168.4.0/24 <=> 192.168.40.0/24 on both ends of the IPsec tunnel?

    Do you have 192.168.40.0/24 listed as a local network on the OpenVPN server?



  • Yeh i do have a phase 2 entry for 192.168.4.0/24 on the local end, the other end is in another state
    i do recall it working at some point though so i'm not sure that is the issue.

    and yeh i have 192.168.40.0/24 listed as a local network on the OpenVpn server

    i'm trying to get in touch with the other side of the IPsec to see if they will add my 192.168.4.0/24 for it to work. do you think that is the problem?


  • LAYER 8 Netgate

    Without a phase 2 on the other side, traffic from there to your OpenVPN subnet will not be interesting to IPsec and will not be forwarded over the tunnel.



  • do you think it would be a good idea to assign 192.168.1.0/24 address to openVPN in order to get around this? so that openVPN traffic will appear as local traffic
    whenever i try assign static IPs to openVPN, it won't communicate with anything
    am i missing something or is it not possible?


  • LAYER 8 Netgate

    Since you asked what I think, I think if you want IPsec traffic over an IPsec tunnel the proper solution is to get the correct Phase 2 entries in place.

    Else you would have to bridge a tap-mode OpenVPN instance which you might be able to get to work but is not a recommended configuration.



  • just got it done. after 2 weeks of pulling my hair out. IT IS WORKING

    thanks heaps for your expertise. need to shoot you a pack of tim tams ;)



  • Dear sir can you explain how did you do it ?
    please
    many thanks


Log in to reply