Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN client talking to IPSec tunnels?

    Scheduled Pinned Locked Moved IPsec
    8 Posts 3 Posters 5.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      peffyes
      last edited by

      I have a pfsense box that has 10 IPsec tunnels to other networks. From the local LAN segment, I can access any machine on any of those 10 IPsec tunnels.

      There is also an OpenVPN server configured on that pfsense box that I use to connect when I'm traveling. It works perfectly for talking to any machine on the LAN. However, I need to also access the machines on the IPsec tunnels from the OpenVPN connection.

      What's the trick to making that work?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Add the remote IPsec networks to Local networks in the OpenVPN server so the client knows to route them over OpenVPN. This is unnecessary if you are pushing a default gateway (Redirect gateway checked).

        Create IPsec Phase 2 entries between the IPsec networks and the OpenVPN tunnel network.

        As always, make sure firewall rules pass the traffic.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • P
          peffyes
          last edited by

          I was scratching my head little over adding the remote IPsec networks to local networks in OpenVPN. Apparently when you try to edit an existing OpenVPN network through the UI, the Local Network fields are not presented…

          ???

          I'll just build a new one for testing...

          1 Reply Last reply Reply Quote 0
          • P
            peffyes
            last edited by

            I decided not to worry about the OPVN config for now, since I push a default gateway. Connected OPVN clients happily try to connect to IP addresses on the remotely connected IPsec network. According to the firewall logs, the traffic is being passed out to the IPsec net.

            Strictly for testing purposes, I added a rule to the firewall on the IPSec tab that allows any to any.

            I'm unable to get anything back; not even an indication that the firewall is denying the traffic. I messed about with adding a P2 entry for the /24 used by the OPVN network, but no joy. Since I have no idea what to use for the Phase 2 key exchange, I duplicated one of the existing P2 entries, and modified the local network to point to the /24 used by OPVN.

            I talked to our cisco guy, he doubted it would work. Some kind of trickery required or some such.

            Currently I don't have access to any device on the remote network that I can use to do any testing from that side. Oh well… Will have to pick this up later I guess.

            1 Reply Last reply Reply Quote 0
            • M
              mesro09
              last edited by

              hi everybody
              is there anyone could send config screen photos please
              i am trying to do as same as that
              i have ipsec tunnel from 192.168.30.0/24(pfsense) to 192.168.10.0/24 (tplink)
              i have  openvpn tunnel 192.168.14.0/28 on the side of 192.168.30.0/24 (here i have pfsense)
              so i when i connect with openvpn i can comunicate all of the network of 192.168.30.0/24 but i want to comunicate also with remote network of ipsec is is posible ?
              many thanks for everybody to helping me to solve this

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                You need to add a phase two on your IPsec that passes traffic between 192.168.14.0/24 on the pfSense side and 192.168.10.0/24 on the TPLink side. This will need to be done on both sides just like between 192.168.30.0/24 and 192.168.10.0/24.

                You need to add 192.168.10.0/24 as a local network on the OpenVPN server so it is pushed to the clients and they know to send traffic for that network over OpenVPN.

                Then make sure all the firewall rules pass the necessary traffic.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • M
                  mesro09
                  last edited by

                  thanks for reply and sorry for my poor english
                  can you see my attachment photoS
                  like this

                  ![second phase ipsec.jpg](/public/imported_attachments/1/second phase ipsec.jpg)
                  ![second phase ipsec.jpg_thumb](/public/imported_attachments/1/second phase ipsec.jpg_thumb)
                  ![remote side networkopen vpn.jpg](/public/imported_attachments/1/remote side networkopen vpn.jpg)
                  ![remote side networkopen vpn.jpg_thumb](/public/imported_attachments/1/remote side networkopen vpn.jpg_thumb)
                  ![tplink second phase for openvpn comunication.jpg](/public/imported_attachments/1/tplink second phase for openvpn comunication.jpg)
                  ![tplink second phase for openvpn comunication.jpg_thumb](/public/imported_attachments/1/tplink second phase for openvpn comunication.jpg_thumb)
                  ![IPSEC AND OPENVPN DEFAULT PASSRULES.jpg](/public/imported_attachments/1/IPSEC AND OPENVPN DEFAULT PASSRULES.jpg)
                  ![IPSEC AND OPENVPN DEFAULT PASSRULES.jpg_thumb](/public/imported_attachments/1/IPSEC AND OPENVPN DEFAULT PASSRULES.jpg_thumb)

                  1 Reply Last reply Reply Quote 0
                  • M
                    mesro09
                    last edited by

                    after the passing all screen capture
                    i restart both side and it is working
                    please i wuold like that administrator of this forum lock this part who need help same subject in the future
                    thanks derelict.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.