Client Export to OpenVPN Site to IPSec
-
Hi,
I am not sure what I am doing wrong. I have have 2 pfsense boxes connected site-to-site working well like so:
pfsense A 192.168.20.250 for SITES:
Server Mode: Peer to peer SSL/TLS
Protocol: UDP
Device mode: tun
Interface: WAN
Local Port: 1194
Tunnel: 10.0.8.0/24
Local Networks: 192.168.20.0/24
Custom Options: route 192.168.30.0 255.255.255.0; push "route 192.168.30.0 255.255.255.0";pfsense A 192.168.20.250 for MOBILE CLIENTS:
Server Mode: Peer to peer SSL/TLS
Protocol: UDP
Device mode: tun
Interface: WAN
Local Port: 1190
Tunnel: 10.0.9.0/24
Local Networks: 192.168.20.0/24
Custom Options: route 192.168.30.0 255.255.255.0; push "route 192.168.30.0 255.255.255.0";
pfsense B 192.168.30.250 to connect to SITE:
Server Mode: Peer to peer SSL/TLS
Protocol: UDP
Device mode: tun
Interface: WAN
Server Host: pfsense A WAN IP
Server Port: 1194
Tunnel: 10.0.8.0/24
Remote Networks: 192.168.20.0/24
Custom Options: route 192.168.20.0 255.255.255.0; push "route 192.168.20.0 255.255.255.0";pfsense B 192.168.30.250 for MOBILE CLIENTS:
Server Mode: Peer to peer SSL/TLS
Protocol: UDP
Device mode: tun
Interface: WAN
Local Port: 1190
Tunnel: 10.0.10.0/24
Local Networks: 192.168.20.0/24
Custom Options: route 192.168.20.0 255.255.255.0; push "route 192.168.20.0 255.255.255.0";Additionally I have an IPSec tunnel like so:
Key Exchange: V1
Protocol: IPv4
Interface: WAN
Remote Gateway: Sonicwall X WAN IP
with 2 phases:- 192.168.30.0/24 to 10.5.0.0/24
- 10.0.10.0/24 to 10.5.0.0/24
When I am on a PC on site A (192.168.20.0/24) I can go to Site B (192.168.30.0/24) and cannot go to the IPSec site (10.5.0.0/24). This works just as expected.
When I am on a mobile connection to site A (192.168.20.0/24) I can go to Site B (192.168.30.0/24) and cannot go to the IPSec site (10.5.0.0/24). This works just as expected.
When I am on a PC on site B (192.168.30.0/24) I can go to Site A (192.168.20.0/24) and can go to the IPSec site (10.5.0.0/24). This works just as expected.
When I am on a mobile connection to site B (192.168.30.0/24) I CANNOT go to Site A (192.168.20.0/24) and can go to the IPSec site (10.5.0.0/24). I am glad I can go to the IPSec site but I need to get to site A (192.168.20.0/24). THIS IS MY MAIN PROBLEM.
Any ideas will be greatly appreciated on how to fix this.
Thanks,
Carlos
-
Hi,
Sorry. I am new to the forums and just realized I had posted with a lock. I have unlocked the post now.Hope someone can help with this issue.
Thanks!
Carlos
-
Edit the sites A site-to-site config and add 10.0.10.0/24 to the "Remote network/s".
-
Thanks for the reply viragomann!
I added 10.0.10.0/24 to the Remote Networks box on Site A. Also tried adding under Site A custom options:
route 10.0.10.0 255.255.255.0; push "route 10.0.10.0 255.255.255.0";
I did combinations and reboot of the OpenVPN Service. But it didn't work. The mobile connection to Site B can go to IPSec but CANNOT go to Site A.
-
So the routes should be set correctly now. But to ensure, check it at the mobile client and also at site A pfSense.
Also ensure that firewall rules allow the access at both sites from 10.0.10.0/24 to 192.168.20.0/24.
-
Nope. Can't get it working yet. Here are the Routing tables from pfsense B (192.168.30.250)
Destination Gateway Flags Use Mtu Netif Expire
default x.x.x.97 UGS 3139593 1500 em0
10.0.8.0 link#8 UHS 0 16384 lo0
10.0.8.0/24 10.0.8.0 UGS 0 1500 ovpnc1
10.0.8.1 link#8 UH 0 1500 ovpnc1
10.0.9.0/24 10.0.8.1 UGS 1649 1500 ovpnc1
10.0.10.0/24 10.0.10.1 UGS 0 1500 ovpns2
10.0.10.1 link#7 UHS 0 16384 lo0
10.0.10.2 link#7 UH 6444 1500 ovpns2
x.x.x.96/27 link#1 U 1045333 1500 em0
x.x.x.116 link#1 UHS 0 16384 lo0
x.x.x.117 link#1 UHS 0 16384 lo0
127.0.0.1 link#6 UH 0 16384 lo0
192.168.4.0/24 10.0.8.1 UGS 0 1500 ovpnc1
192.168.5.0/24 10.0.8.1 UGS 115 1500 ovpnc1
192.168.6.0/24 10.0.8.1 UGS 76 1500 ovpnc1
192.168.7.0/24 10.0.8.1 UGS 0 1500 ovpnc1
192.168.20.0/24 10.0.8.1 UGS 456 1500 ovpnc1
192.168.30.0/24 link#2 U 1273500 1500 em1
192.168.30.250 link#2 UHS 0 16384 lo0
192.168.40.0/24 10.0.8.1 UGS 0 1500 ovpnc1And here are for pfsense A (192.168.20.250)
Destination Gateway Flags Use Mtu Netif Expire
0.0.0.0/32 10.0.8.2 UGS 0 1500 ovpns1
default x.x.x.97 UGS 1762959 1500 em0
10.0.8.0/24 10.0.8.1 UGS 0 1500 ovpns1
10.0.8.1 link#7 UHS 0 16384 lo0
10.0.8.2 link#7 UH 0 1500 ovpns1
10.0.9.0/24 10.0.9.1 UGS 0 1500 ovpns2
10.0.9.1 link#8 UHS 0 16384 lo0
10.0.9.2 link#8 UH 267514 1500 ovpns2
10.0.10.0/24 10.0.9.2 UGS 2994 1500 ovpns2
x.x.x.x/27 link#1 U 937740 1500 em0
x.x.x.115 link#1 UHS 0 16384 lo0
127.0.0.1 link#6 UH 0 16384 lo0
192.168.4.0/24 10.0.8.2 UGS 41 1500 ovpns1
192.168.5.0/24 10.0.8.2 UGS 473 1500 ovpns1
192.168.6.0/24 10.0.8.2 UGS 479 1500 ovpns1
192.168.7.0/24 10.0.8.2 UGS 195 1500 ovpns1
192.168.20.0/24 link#2 U 1453072 1500 em1
192.168.20.250 link#2 UHS 0 16384 lo0
192.168.30.0/24 10.0.8.2 UGS 1905 1500 ovpns1
192.168.40.0/24 10.0.8.2 UGS 0 1500 ovpns1I also checked the firewall in both firewalls. And I have an identical rules at both like so:
IPv4 * * * * * * none
Still no clue why it doesn't work. But hopefully the routing tables will provide you with a hint. I have hidden my Gateway and IP for obvious reasons with an x.x.x. Sorry.
Regards,
Carlos
-
And here are my routing tables when I am connected to site B (192.168.30.250)
C:\WINDOWS\system32>route print
Interface List
20…84 7b eb 17 a8 06 ......Realtek PCIe FE Family Controller
6...0a 00 27 00 00 00 ......VirtualBox Host-Only Ethernet Adapter
26...0a 00 27 00 00 00 ......VirtualBox Host-Only Ethernet Adapter #2
22...2c 6e 85 66 1d 91 ......Microsoft Wi-Fi Direct Virtual Adapter
23...00 ff de 33 76 23 ......TAP-Windows Adapter V9
9...2c 6e 85 66 1d 90 ......Intel(R) Dual Band Wireless-AC 3160
5...2c 6e 85 66 1d 94 ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
10...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6IPv4 Route Table
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.3.8 55
0.0.0.0 128.0.0.0 10.0.10.1 10.0.10.2 35
10.0.9.0 255.255.255.0 10.0.10.1 10.0.10.2 35
10.0.10.0 255.255.255.0 On-link 10.0.10.2 291
10.0.10.0 255.255.255.0 10.0.10.1 10.0.10.2 35
10.0.10.2 255.255.255.255 On-link 10.0.10.2 291
10.0.10.255 255.255.255.255 On-link 10.0.10.2 291
x.x.x.116 255.255.255.255 192.168.2.1 192.168.3.8 55
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
128.0.0.0 128.0.0.0 10.0.10.1 10.0.10.2 35
192.168.0.0 255.255.252.0 On-link 192.168.3.8 311
192.168.3.8 255.255.255.255 On-link 192.168.3.8 311
192.168.3.255 255.255.255.255 On-link 192.168.3.8 311
192.168.4.0 255.255.255.0 10.0.10.1 10.0.10.2 35
192.168.5.0 255.255.255.0 10.0.10.1 10.0.10.2 35
192.168.6.0 255.255.255.0 10.0.10.1 10.0.10.2 35
192.168.7.0 255.255.255.0 10.0.10.1 10.0.10.2 35
192.168.20.0 255.255.255.0 10.0.10.1 10.0.10.2 35
192.168.30.0 255.255.255.0 10.0.10.1 10.0.10.2 35
192.168.56.0 255.255.255.0 On-link 192.168.56.1 281
192.168.56.1 255.255.255.255 On-link 192.168.56.1 281
192.168.56.255 255.255.255.255 On-link 192.168.56.1 281
192.168.84.0 255.255.255.0 On-link 192.168.84.2 281
192.168.84.2 255.255.255.255 On-link 192.168.84.2 281
192.168.84.255 255.255.255.255 On-link 192.168.84.2 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.56.1 281
224.0.0.0 240.0.0.0 On-link 192.168.84.2 281
224.0.0.0 240.0.0.0 On-link 192.168.3.8 311
224.0.0.0 240.0.0.0 On-link 10.0.10.2 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.56.1 281
255.255.255.255 255.255.255.255 On-link 192.168.84.2 281
255.255.255.255 255.255.255.255 On-link 192.168.3.8 311
255.255.255.255 255.255.255.255 On-link 10.0.10.2 291Persistent Routes:
NoneIPv6 Route Table
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
6 281 fe80::/64 On-link
26 281 fe80::/64 On-link
9 311 fe80::/64 On-link
23 291 fe80::/64 On-link
9 311 fe80::1e2:f48:2ace:c530/128
On-link
6 281 fe80::60db:46be:e86b:8581/128
On-link
26 281 fe80::7d7a:d293:1452:9ea4/128
On-link
23 291 fe80::cdbd:8d00:5069:500a/128
On-link
1 331 ff00::/8 On-link
6 281 ff00::/8 On-link
26 281 ff00::/8 On-link
9 311 ff00::/8 On-link
23 291 ff00::/8 On-linkPersistent Routes:
NoneAnd here are when I am connected to site A (192.168.20.250)
C:\WINDOWS\system32>route print
Interface List
20...84 7b eb 17 a8 06 ......Realtek PCIe FE Family Controller
6...0a 00 27 00 00 00 ......VirtualBox Host-Only Ethernet Adapter
26...0a 00 27 00 00 00 ......VirtualBox Host-Only Ethernet Adapter #2
22...2c 6e 85 66 1d 91 ......Microsoft Wi-Fi Direct Virtual Adapter
23...00 ff de 33 76 23 ......TAP-Windows Adapter V9
9...2c 6e 85 66 1d 90 ......Intel(R) Dual Band Wireless-AC 3160
5...2c 6e 85 66 1d 94 ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
10...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6IPv4 Route Table
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.3.8 55
0.0.0.0 128.0.0.0 10.0.9.1 10.0.9.2 35
10.0.9.0 255.255.255.0 On-link 10.0.9.2 291
10.0.9.0 255.255.255.0 10.0.9.1 10.0.9.2 35
10.0.9.2 255.255.255.255 On-link 10.0.9.2 291
10.0.9.255 255.255.255.255 On-link 10.0.9.2 291
10.0.10.0 255.255.255.0 10.0.9.1 10.0.9.2 35
x.x.x.115 255.255.255.255 192.168.2.1 192.168.3.8 55
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
128.0.0.0 128.0.0.0 10.0.9.1 10.0.9.2 35
192.168.0.0 255.255.252.0 On-link 192.168.3.8 311
192.168.3.8 255.255.255.255 On-link 192.168.3.8 311
192.168.3.255 255.255.255.255 On-link 192.168.3.8 311
192.168.4.0 255.255.255.0 10.0.9.1 10.0.9.2 35
192.168.5.0 255.255.255.0 10.0.9.1 10.0.9.2 35
192.168.6.0 255.255.255.0 10.0.9.1 10.0.9.2 35
192.168.7.0 255.255.255.0 10.0.9.1 10.0.9.2 35
192.168.20.0 255.255.255.0 10.0.9.1 10.0.9.2 35
192.168.30.0 255.255.255.0 10.0.9.1 10.0.9.2 35
192.168.40.0 255.255.255.0 10.0.9.1 10.0.9.2 35
192.168.56.0 255.255.255.0 On-link 192.168.56.1 281
192.168.56.1 255.255.255.255 On-link 192.168.56.1 281
192.168.56.255 255.255.255.255 On-link 192.168.56.1 281
192.168.84.0 255.255.255.0 On-link 192.168.84.2 281
192.168.84.2 255.255.255.255 On-link 192.168.84.2 281
192.168.84.255 255.255.255.255 On-link 192.168.84.2 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.56.1 281
224.0.0.0 240.0.0.0 On-link 192.168.84.2 281
224.0.0.0 240.0.0.0 On-link 192.168.3.8 311
224.0.0.0 240.0.0.0 On-link 10.0.9.2 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.56.1 281
255.255.255.255 255.255.255.255 On-link 192.168.84.2 281
255.255.255.255 255.255.255.255 On-link 192.168.3.8 311
255.255.255.255 255.255.255.255 On-link 10.0.9.2 291Persistent Routes:
NoneIPv6 Route Table
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
6 281 fe80::/64 On-link
26 281 fe80::/64 On-link
9 311 fe80::/64 On-link
23 291 fe80::/64 On-link
9 311 fe80::1e2:f48:2ace:c530/128
On-link
6 281 fe80::60db:46be:e86b:8581/128
On-link
26 281 fe80::7d7a:d293:1452:9ea4/128
On-link
23 291 fe80::cdbd:8d00:5069:500a/128
On-link
1 331 ff00::/8 On-link
6 281 ff00::/8 On-link
26 281 ff00::/8 On-link
9 311 ff00::/8 On-link
23 291 ff00::/8 On-linkPersistent Routes:
NoneHope that helps.
Carlos
-
There is an incorrect route at site A pfSense:
And here are for pfsense A (192.168.20.250) Destination Gateway Flags Use Mtu Netif Expire 10.0.10.0/24 10.0.9.2 UGS 2994 1500 ovpns2The tunnel subnet of site Bs clients 10.0.10.0/24 is routed to the site As mobile clients server. Check the config of this server. You should find an entry of 10.0.10.0/24 somewhere, maybe you have a client specific override for this server.
-
Hi,
I still have the same results after cleaning up Site A (192.168.20.250). Now I have the following:Destination Gateway Flags Use Mtu Netif Expire
10.0.8.0/24 10.0.8.1 UGS 0 1500 ovpns1
10.0.8.1 link#7 UHS 0 16384 lo0
10.0.8.2 link#7 UH 0 1500 ovpns1
10.0.9.0/24 10.0.9.1 UGS 0 1500 ovpns2
10.0.9.1 link#8 UHS 0 16384 lo0
10.0.9.2 link#8 UH 2241 1500 ovpns2
…
192.168.20.0/24 link#2 U 1501 1500 em1
192.168.20.250 link#2 UHS 0 16384 lo0
192.168.30.0/24 10.0.8.2 UGS 1054 1500 ovpns1Now there is no routing for 10.0.10.0/24 on Site A.
On Site B (192.168.30.250), now I have this:
Destination Gateway Flags Use Mtu Netif Expire
10.0.8.0 link#8 UHS 0 16384 lo0
10.0.8.0/24 10.0.8.0 UGS 0 1500 ovpnc1
10.0.8.1 link#8 UH 0 1500 ovpnc1
10.0.9.0/24 10.0.8.1 UGS 590 1500 ovpnc1
10.0.10.0/24 10.0.10.1 UGS 0 1500 ovpns2
10.0.10.1 link#7 UHS 0 16384 lo0
10.0.10.2 link#7 UH 909 1500 ovpns2
...
192.168.20.0/24 10.0.8.1 UGS 476 1500 ovpnc1
192.168.30.0/24 link#2 U 2569 1500 em1
192.168.30.250 link#2 UHS 0 16384 lo0
On Site A (192.168.20.250) I do have a Client Specific Override. Basically the common name, a description, and:
Tunnel: 10.0.8.0/24
Advanced: iroute 192.168.30.0 255.255.255.0Not sure what to do next?
Carlos
-
Now you are missing the route to 10.0.10.0/24 at site A totally. Go to the site A site-to-site OpenVPN server settings and enter or add 10.0.10.0/24 in the "IPv4 Remote Networks" box.
-
I just added the 10.0.10.0/24 at site A (192.168.20.250) in the IPv4 Remote Networks like you said. Site A changed to:
Destination Gateway Flags Use Mtu Netif Expire
10.0.8.0/24 10.0.8.1 UGS 0 1500 ovpns1
10.0.8.1 link#7 UHS 0 16384 lo0
10.0.8.2 link#7 UH 0 1500 ovpns1
10.0.9.0/24 10.0.9.1 UGS 0 1500 ovpns2
10.0.9.1 link#8 UHS 0 16384 lo0
10.0.9.2 link#8 UH 139201 1500 ovpns2
10.0.10.0/24 10.0.8.2 UGS 0 1500 ovpns1
…
192.168.20.0/24 link#2 U 276518 1500 em1
192.168.20.250 link#2 UHS 0 16384 lo0
192.168.30.0/24 10.0.8.2 UGS 706 1500 ovpns1Site B seems to remain the same:
Destination Gateway Flags Use Mtu Netif Expire
10.0.8.0 link#8 UHS 0 16384 lo0
10.0.8.0/24 10.0.8.0 UGS 0 1500 ovpnc1
10.0.8.1 link#8 UH 0 1500 ovpnc1
10.0.9.0/24 10.0.8.1 UGS 493 1500 ovpnc1
10.0.10.0/24 10.0.10.1 UGS 0 1500 ovpns2
10.0.10.1 link#7 UHS 0 16384 lo0
10.0.10.2 link#7 UH 7764 1500 ovpns2
...
192.168.20.0/24 10.0.8.1 UGS 156 1500 ovpnc1
192.168.30.0/24 link#2 U 52051 1500 em1
192.168.30.250 link#2 UHS 0 16384 lo0
-
The routing tables seem to be well now. Any success?
-
Unfortunately no success. I have the same result.
My mobile client at 10.0.10.0/24 will not be able to go to 192.168.20.0/24. Can only go to 192.168.30.0/24 (and IPSec tunnels).
I tried something out as well. I disabled the Ipsec tunnels on Site B (192.168.30.250) but the same result that I cannot go to 192.168.20.0/24
What is funny is that if I RDP to a PC on 192.168.30.0/24, inside that PC, I can connect to all networks. Just the mobile client is the one with the problem.
No clue as to what to try next.
-
Okay, since routes and firewall rules are well, maybe you have miss-configured the VPN interfaces. Have you assigned a particular interface to each OpenVPN instance (each server and client instance)? This is crucial for routing between multiple VPN instances.
If you haven't already, on both sites go to interface > assign, select a VPN instance under "Network port", click Add, then open the new interface and activate it. You can give it a meaningful name. Do this for each OpenVPN instance on both nodes. Now in Firewall > rules the new interfaces are shown as particular tabs and you have to define the needed firewall rules there.
-
I can only do this at Site B (192.168.30.250) for the time being as my office is now working. Site A is the main VPN Server that connects to all the other offices so can't be testing configurations. I will try this out in about 14 hours. For the time being, I have a a few question on this.
For Site B (192.168.30.250)
-
What should I configure on the OPT1 on IPv4 Configuration Type?
-
Should it be Static IPv4 with IP 10.0.10.250 / 24?? 250 to be consistent with the other Sites.
-
Should the Gateway be set to None?
-
What should I configure on the OPT2 on IPv4 Configuration Type?
-
Should it be Static IPv4 with IP 10.0.8.250 / 24?? 250 to be consistent with the other Sites.
-
Should the Gateway be set to None?
-
But if I set OPT2 to 10.0.8.250, what about the other sites? Will it matter to have the same IP at other sites?
None the less, I have just set it up like this in Site B (192.168.30.250). But no success. Again the same result. :(
The routing table is now:
Destination Gateway Flags Use Mtu Netif Expire
10.0.8.0 link#8 UHS 0 16384 lo0
10.0.8.0/24 10.0.8.0 UGS 0 1500 ovpnc1
10.0.8.1 link#8 UH 0 1500 ovpnc1
10.0.9.0/24 10.0.8.1 UGS 0 1500 ovpnc1
10.0.10.0/24 10.0.10.1 UGS 0 1500 ovpns2
10.0.10.1 link#7 UHS 0 16384 lo0
10.0.10.2 link#7 UH 1969 1500 ovpns2
…
192.168.20.0/24 10.0.8.1 UGS 231 1500 ovpnc1
192.168.30.0/24 link#2 U 260449 1500 em1
192.168.30.250 link#2 UHS 0 16384 lo0So it is back to being the same. I ensured that OPT1, OPT2 and OpenVPN firewall rules are all setup like this:
Protocol Source Port Destination Port Gateway Queue Schedule
IPv4 * * * * * * noneSo this is awkward. :o
I am wondering if it will make a difference wen I change Site A as I have just made a bunch of changes in Site B achieving the same result. So I am wondering if I should play around with Firewall Nat Outbound Mappings?? Currently these are set to automatic and have two created:
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
WAN 127.0.0.0/8 192.168.30.0/24 10.0.10.0/24 10.0.8.0/24 * * 500 WAN address * Auto created rule for ISAKMP
WAN 127.0.0.0/8 192.168.30.0/24 10.0.10.0/24 10.0.8.0/24 * * * WAN address * Auto created rule
-
-
There are no settings to be made in the interface config. Just activate and save it, no IP config. But it's recommended to give it a more meaningful name as "OPT1".
This gives pfSense the availability to handle the VPN interfaces separately instead as an interface group. This doesn't effect any changes in the routing table.
It's also conceivable to do NAT on an OpenVPN interface at site B, maybe it's easier to solve this issue, but a would prefer the routing method cause its more clean.
For troubleshooting you can use the packet capture tool of pfSense from the Diagnostic menu. Try to access a host in LAN A from a mobile vpn client connected to site B while you do a packet capture at site As LAN interface. If you can see nothing, try the site-to-site VPN interface. Since the routes are well, the packets should arrive there.
-
Ok. So I have applied the Interface and Firewall (allow all) settings for both sites A and B. See screenshots attached for the confirmation. Weird how the MAINVPN tunnel is offline at Site A. Not sure if that is normal? But all is working from Site A to it's connections.
On Site B (192.168.30.250), all seems to be ok in regards to all interfaces being online. Again, see screenshot. But now I have a new problem:
-
From the Mobile connection, I can't go to Site A (192.168.20.250). I can go to all Ipsec sites without an issue and also to 192.168.30.0/24 LAN.
-
From within the LAN connection, I can go to Site A (192.168.20.250) without an issue and of course also to the LAN 192.168.30.0/24. But I can no longer go to any IPSec Site even though the 20 tunnels are online. So we have gotten this as a new problem
I have rebooted both sites pfsenses to ensure there was nothing weird. I ensured that all routes worked from Site A to all other Sites. So I expect no issues in my working offices. No problem should be reported on Site A. Nevertheless, all here is pfsense with OpenVPN connecting to other OpenVPNs so no issues are happening.
Seems that all the problem is at Site B. :o
I did try the packet capture. But not sure what you want me to report back.
-
-
Anyone has any clue on this?
-
Hi!
I hope I got your problem (I'm in a bit of a hurry ;) )
I've got similar setup up with OpenVPN connected sites and users which needed to be routed into a IPSEC subnet.
This is how it was solved.-
Setup a gateway on LAN interface which points to the LAN interface IP
-
Create a route for the IPSEC subnet which point to the LAN gateway
-
Define all subnets as 2nd phases on the IPSEC connection
-
Make sure the opposing side of the IPSEC connection allow the incoming subnet you have.
This made it work for me. All OpenVPN road warriors and OpenVPN connected site-to-site are able to get traffic routed through the IPSEC tunnel.
Don't know if there is another way or solved differently on later versions. This config is on pfSense 2.2.4
Brgs,
-
-
Hi iorx,
The OpenVPN road warrior can go to all the LAN where it is connected to as well as all the Ipsec tunnels. Where I have a problem is that the OpenVPN road warrior cannot go to other OpenVPN site-to-sites…Regards,
Carlos
