Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Client Export to OpenVPN Site to IPSec

    Scheduled Pinned Locked Moved OpenVPN
    20 Posts 3 Posters 7.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      newcmelgar
      last edited by

      Hi,
      I am not sure what I am doing wrong. I have have 2 pfsense boxes connected site-to-site working well like so:


      pfsense A 192.168.20.250 for SITES:
      Server Mode: Peer to peer SSL/TLS
      Protocol: UDP
      Device mode: tun
      Interface: WAN
      Local Port: 1194
      Tunnel: 10.0.8.0/24
      Local Networks: 192.168.20.0/24
      Custom Options: route 192.168.30.0 255.255.255.0; push "route 192.168.30.0 255.255.255.0";

      pfsense A 192.168.20.250 for MOBILE CLIENTS:
      Server Mode: Peer to peer SSL/TLS
      Protocol: UDP
      Device mode: tun
      Interface: WAN
      Local Port: 1190
      Tunnel: 10.0.9.0/24
      Local Networks: 192.168.20.0/24
      Custom Options: route 192.168.30.0 255.255.255.0; push "route 192.168.30.0 255.255.255.0";


      pfsense B 192.168.30.250 to connect to SITE:
      Server Mode: Peer to peer SSL/TLS
      Protocol: UDP
      Device mode: tun
      Interface: WAN
      Server Host: pfsense A WAN IP
      Server Port: 1194
      Tunnel: 10.0.8.0/24
      Remote Networks: 192.168.20.0/24
      Custom Options: route 192.168.20.0 255.255.255.0; push "route 192.168.20.0 255.255.255.0";

      pfsense B 192.168.30.250 for MOBILE CLIENTS:
      Server Mode: Peer to peer SSL/TLS
      Protocol: UDP
      Device mode: tun
      Interface: WAN
      Local Port: 1190
      Tunnel: 10.0.10.0/24
      Local Networks: 192.168.20.0/24
      Custom Options: route 192.168.20.0 255.255.255.0; push "route 192.168.20.0 255.255.255.0";

      Additionally I have an IPSec tunnel like so:
      Key Exchange: V1
      Protocol: IPv4
      Interface: WAN
      Remote Gateway: Sonicwall X WAN IP
      with 2 phases:

      1. 192.168.30.0/24 to 10.5.0.0/24
      2. 10.0.10.0/24 to 10.5.0.0/24

      When I am on a PC on site A (192.168.20.0/24) I can go to Site B (192.168.30.0/24) and cannot go to the IPSec site (10.5.0.0/24). This works just as expected.

      When I am on a mobile connection to site A (192.168.20.0/24) I can go to Site B (192.168.30.0/24) and cannot go to the IPSec site (10.5.0.0/24). This works just as expected.

      When I am on a PC on site B (192.168.30.0/24) I can go to Site A (192.168.20.0/24) and can go to the IPSec site (10.5.0.0/24). This works just as expected.

      When I am on a mobile connection to site B (192.168.30.0/24) I CANNOT go to Site A (192.168.20.0/24) and can go to the IPSec site (10.5.0.0/24). I am glad I can go to the IPSec site but I need to get to site A (192.168.20.0/24). THIS IS MY MAIN PROBLEM.

      Any ideas will be greatly appreciated on how to fix this.

      Thanks,

      Carlos

      Problem.png
      Problem.png_thumb

      1 Reply Last reply Reply Quote 0
      • N
        newcmelgar
        last edited by

        Hi,
        Sorry. I am new to the forums and just realized I had posted with a lock. I have unlocked the post now.

        Hope someone can help with this issue.

        Thanks!

        Carlos

        1 Reply Last reply Reply Quote 0
        • V
          viragomann
          last edited by

          Edit the sites A site-to-site config and add 10.0.10.0/24 to the "Remote network/s".

          1 Reply Last reply Reply Quote 0
          • N
            newcmelgar
            last edited by

            Thanks for the reply viragomann!

            I added 10.0.10.0/24 to the Remote Networks box on Site A. Also tried adding under Site A custom options:

            route 10.0.10.0 255.255.255.0; push "route 10.0.10.0 255.255.255.0";

            I did combinations and reboot of the OpenVPN Service. But it didn't work. The mobile connection to Site B can go to IPSec but CANNOT go to Site A.

            1 Reply Last reply Reply Quote 0
            • V
              viragomann
              last edited by

              So the routes should be set correctly now. But to ensure, check it at the mobile client and also at site A pfSense.

              Also ensure that firewall rules allow the access at both sites from 10.0.10.0/24 to 192.168.20.0/24.

              1 Reply Last reply Reply Quote 0
              • N
                newcmelgar
                last edited by

                Nope. Can't get it working yet. Here are the Routing tables from pfsense B (192.168.30.250)

                Destination Gateway Flags Use Mtu Netif Expire
                default x.x.x.97 UGS 3139593 1500 em0
                10.0.8.0 link#8 UHS 0 16384 lo0
                10.0.8.0/24 10.0.8.0 UGS 0 1500 ovpnc1
                10.0.8.1 link#8 UH 0 1500 ovpnc1
                10.0.9.0/24 10.0.8.1 UGS 1649 1500 ovpnc1
                10.0.10.0/24 10.0.10.1 UGS 0 1500 ovpns2
                10.0.10.1 link#7 UHS 0 16384 lo0
                10.0.10.2 link#7 UH 6444 1500 ovpns2
                x.x.x.96/27 link#1 U 1045333 1500 em0
                x.x.x.116 link#1 UHS 0 16384 lo0
                x.x.x.117 link#1 UHS 0 16384 lo0
                127.0.0.1 link#6 UH 0 16384 lo0
                192.168.4.0/24 10.0.8.1 UGS 0 1500 ovpnc1
                192.168.5.0/24 10.0.8.1 UGS 115 1500 ovpnc1
                192.168.6.0/24 10.0.8.1 UGS 76 1500 ovpnc1
                192.168.7.0/24 10.0.8.1 UGS 0 1500 ovpnc1
                192.168.20.0/24 10.0.8.1 UGS 456 1500 ovpnc1
                192.168.30.0/24 link#2 U 1273500 1500 em1
                192.168.30.250 link#2 UHS 0 16384 lo0
                192.168.40.0/24 10.0.8.1 UGS 0 1500 ovpnc1

                And here are for pfsense A (192.168.20.250)

                Destination Gateway Flags Use Mtu Netif Expire
                0.0.0.0/32 10.0.8.2 UGS 0 1500 ovpns1
                default x.x.x.97 UGS 1762959 1500 em0
                10.0.8.0/24 10.0.8.1 UGS 0 1500 ovpns1
                10.0.8.1 link#7 UHS 0 16384 lo0
                10.0.8.2 link#7 UH 0 1500 ovpns1
                10.0.9.0/24 10.0.9.1 UGS 0 1500 ovpns2
                10.0.9.1 link#8 UHS 0 16384 lo0
                10.0.9.2 link#8 UH 267514 1500 ovpns2
                10.0.10.0/24 10.0.9.2 UGS 2994 1500 ovpns2
                x.x.x.x/27 link#1 U 937740 1500 em0
                x.x.x.115 link#1 UHS 0 16384 lo0
                127.0.0.1 link#6 UH 0 16384 lo0
                192.168.4.0/24 10.0.8.2 UGS 41 1500 ovpns1
                192.168.5.0/24 10.0.8.2 UGS 473 1500 ovpns1
                192.168.6.0/24 10.0.8.2 UGS 479 1500 ovpns1
                192.168.7.0/24 10.0.8.2 UGS 195 1500 ovpns1
                192.168.20.0/24 link#2 U 1453072 1500 em1
                192.168.20.250 link#2 UHS 0 16384 lo0
                192.168.30.0/24 10.0.8.2 UGS 1905 1500 ovpns1
                192.168.40.0/24 10.0.8.2 UGS 0 1500 ovpns1

                I also checked the firewall in both firewalls. And I have an identical rules at both like so:

                IPv4 * * * * * * none

                Still no clue why it doesn't work. But hopefully the routing tables will provide you with a hint. I have hidden my Gateway and IP for obvious reasons with an x.x.x. Sorry.

                Regards,

                Carlos

                1 Reply Last reply Reply Quote 0
                • N
                  newcmelgar
                  last edited by

                  And here are my routing tables when I am connected to site B (192.168.30.250)

                  C:\WINDOWS\system32>route print

                  Interface List
                  20…84 7b eb 17 a8 06 ......Realtek PCIe FE Family Controller
                    6...0a 00 27 00 00 00 ......VirtualBox Host-Only Ethernet Adapter
                  26...0a 00 27 00 00 00 ......VirtualBox Host-Only Ethernet Adapter #2
                  22...2c 6e 85 66 1d 91 ......Microsoft Wi-Fi Direct Virtual Adapter
                  23...00 ff de 33 76 23 ......TAP-Windows Adapter V9
                    9...2c 6e 85 66 1d 90 ......Intel(R) Dual Band Wireless-AC 3160
                    5...2c 6e 85 66 1d 94 ......Bluetooth Device (Personal Area Network)
                    1...........................Software Loopback Interface 1
                  14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
                  10...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
                  12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
                  13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
                  21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6

                  IPv4 Route Table

                  Active Routes:
                  Network Destination        Netmask          Gateway      Interface  Metric
                            0.0.0.0          0.0.0.0      192.168.2.1      192.168.3.8    55
                            0.0.0.0        128.0.0.0        10.0.10.1        10.0.10.2    35
                          10.0.9.0    255.255.255.0        10.0.10.1        10.0.10.2    35
                          10.0.10.0    255.255.255.0        On-link        10.0.10.2    291
                          10.0.10.0    255.255.255.0        10.0.10.1        10.0.10.2    35
                          10.0.10.2  255.255.255.255        On-link        10.0.10.2    291
                        10.0.10.255  255.255.255.255        On-link        10.0.10.2    291
                      x.x.x.116  255.255.255.255      192.168.2.1      192.168.3.8    55
                          127.0.0.0        255.0.0.0        On-link        127.0.0.1    331
                          127.0.0.1  255.255.255.255        On-link        127.0.0.1    331
                    127.255.255.255  255.255.255.255        On-link        127.0.0.1    331
                          128.0.0.0        128.0.0.0        10.0.10.1        10.0.10.2    35
                        192.168.0.0    255.255.252.0        On-link      192.168.3.8    311
                        192.168.3.8  255.255.255.255        On-link      192.168.3.8    311
                      192.168.3.255  255.255.255.255        On-link      192.168.3.8    311
                        192.168.4.0    255.255.255.0        10.0.10.1        10.0.10.2    35
                        192.168.5.0    255.255.255.0        10.0.10.1        10.0.10.2    35
                        192.168.6.0    255.255.255.0        10.0.10.1        10.0.10.2    35
                        192.168.7.0    255.255.255.0        10.0.10.1        10.0.10.2    35
                      192.168.20.0    255.255.255.0        10.0.10.1        10.0.10.2    35
                      192.168.30.0    255.255.255.0        10.0.10.1        10.0.10.2    35
                      192.168.56.0    255.255.255.0        On-link      192.168.56.1    281
                      192.168.56.1  255.255.255.255        On-link      192.168.56.1    281
                    192.168.56.255  255.255.255.255        On-link      192.168.56.1    281
                      192.168.84.0    255.255.255.0        On-link      192.168.84.2    281
                      192.168.84.2  255.255.255.255        On-link      192.168.84.2    281
                    192.168.84.255  255.255.255.255        On-link      192.168.84.2    281
                          224.0.0.0        240.0.0.0        On-link        127.0.0.1    331
                          224.0.0.0        240.0.0.0        On-link      192.168.56.1    281
                          224.0.0.0        240.0.0.0        On-link      192.168.84.2    281
                          224.0.0.0        240.0.0.0        On-link      192.168.3.8    311
                          224.0.0.0        240.0.0.0        On-link        10.0.10.2    291
                    255.255.255.255  255.255.255.255        On-link        127.0.0.1    331
                    255.255.255.255  255.255.255.255        On-link      192.168.56.1    281
                    255.255.255.255  255.255.255.255        On-link      192.168.84.2    281
                    255.255.255.255  255.255.255.255        On-link      192.168.3.8    311
                    255.255.255.255  255.255.255.255        On-link        10.0.10.2    291

                  Persistent Routes:
                    None

                  IPv6 Route Table

                  Active Routes:
                  If Metric Network Destination      Gateway
                    1    331 ::1/128                  On-link
                    6    281 fe80::/64                On-link
                  26    281 fe80::/64                On-link
                    9    311 fe80::/64                On-link
                  23    291 fe80::/64                On-link
                    9    311 fe80::1e2:f48:2ace:c530/128
                                                      On-link
                    6    281 fe80::60db:46be:e86b:8581/128
                                                      On-link
                  26    281 fe80::7d7a:d293:1452:9ea4/128
                                                      On-link
                  23    291 fe80::cdbd:8d00:5069:500a/128
                                                      On-link
                    1    331 ff00::/8                On-link
                    6    281 ff00::/8                On-link
                  26    281 ff00::/8                On-link
                    9    311 ff00::/8                On-link
                  23    291 ff00::/8                On-link

                  Persistent Routes:
                    None

                  And here are when I am connected to site A (192.168.20.250)

                  C:\WINDOWS\system32>route print

                  Interface List
                  20...84 7b eb 17 a8 06 ......Realtek PCIe FE Family Controller
                    6...0a 00 27 00 00 00 ......VirtualBox Host-Only Ethernet Adapter
                  26...0a 00 27 00 00 00 ......VirtualBox Host-Only Ethernet Adapter #2
                  22...2c 6e 85 66 1d 91 ......Microsoft Wi-Fi Direct Virtual Adapter
                  23...00 ff de 33 76 23 ......TAP-Windows Adapter V9
                    9...2c 6e 85 66 1d 90 ......Intel(R) Dual Band Wireless-AC 3160
                    5...2c 6e 85 66 1d 94 ......Bluetooth Device (Personal Area Network)
                    1...........................Software Loopback Interface 1
                  14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
                  10...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
                  12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
                  13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
                  21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6

                  IPv4 Route Table

                  Active Routes:
                  Network Destination        Netmask          Gateway      Interface  Metric
                            0.0.0.0          0.0.0.0      192.168.2.1      192.168.3.8    55
                            0.0.0.0        128.0.0.0        10.0.9.1        10.0.9.2    35
                          10.0.9.0    255.255.255.0        On-link          10.0.9.2    291
                          10.0.9.0    255.255.255.0        10.0.9.1        10.0.9.2    35
                          10.0.9.2  255.255.255.255        On-link          10.0.9.2    291
                        10.0.9.255  255.255.255.255        On-link          10.0.9.2    291
                          10.0.10.0    255.255.255.0        10.0.9.1        10.0.9.2    35
                      x.x.x.115  255.255.255.255      192.168.2.1      192.168.3.8    55
                          127.0.0.0        255.0.0.0        On-link        127.0.0.1    331
                          127.0.0.1  255.255.255.255        On-link        127.0.0.1    331
                    127.255.255.255  255.255.255.255        On-link        127.0.0.1    331
                          128.0.0.0        128.0.0.0        10.0.9.1        10.0.9.2    35
                        192.168.0.0    255.255.252.0        On-link      192.168.3.8    311
                        192.168.3.8  255.255.255.255        On-link      192.168.3.8    311
                      192.168.3.255  255.255.255.255        On-link      192.168.3.8    311
                        192.168.4.0    255.255.255.0        10.0.9.1        10.0.9.2    35
                        192.168.5.0    255.255.255.0        10.0.9.1        10.0.9.2    35
                        192.168.6.0    255.255.255.0        10.0.9.1        10.0.9.2    35
                        192.168.7.0    255.255.255.0        10.0.9.1        10.0.9.2    35
                      192.168.20.0    255.255.255.0        10.0.9.1        10.0.9.2    35
                      192.168.30.0    255.255.255.0        10.0.9.1        10.0.9.2    35
                      192.168.40.0    255.255.255.0        10.0.9.1        10.0.9.2    35
                      192.168.56.0    255.255.255.0        On-link      192.168.56.1    281
                      192.168.56.1  255.255.255.255        On-link      192.168.56.1    281
                    192.168.56.255  255.255.255.255        On-link      192.168.56.1    281
                      192.168.84.0    255.255.255.0        On-link      192.168.84.2    281
                      192.168.84.2  255.255.255.255        On-link      192.168.84.2    281
                    192.168.84.255  255.255.255.255        On-link      192.168.84.2    281
                          224.0.0.0        240.0.0.0        On-link        127.0.0.1    331
                          224.0.0.0        240.0.0.0        On-link      192.168.56.1    281
                          224.0.0.0        240.0.0.0        On-link      192.168.84.2    281
                          224.0.0.0        240.0.0.0        On-link      192.168.3.8    311
                          224.0.0.0        240.0.0.0        On-link          10.0.9.2    291
                    255.255.255.255  255.255.255.255        On-link        127.0.0.1    331
                    255.255.255.255  255.255.255.255        On-link      192.168.56.1    281
                    255.255.255.255  255.255.255.255        On-link      192.168.84.2    281
                    255.255.255.255  255.255.255.255        On-link      192.168.3.8    311
                    255.255.255.255  255.255.255.255        On-link          10.0.9.2    291

                  Persistent Routes:
                    None

                  IPv6 Route Table

                  Active Routes:
                  If Metric Network Destination      Gateway
                    1    331 ::1/128                  On-link
                    6    281 fe80::/64                On-link
                  26    281 fe80::/64                On-link
                    9    311 fe80::/64                On-link
                  23    291 fe80::/64                On-link
                    9    311 fe80::1e2:f48:2ace:c530/128
                                                      On-link
                    6    281 fe80::60db:46be:e86b:8581/128
                                                      On-link
                  26    281 fe80::7d7a:d293:1452:9ea4/128
                                                      On-link
                  23    291 fe80::cdbd:8d00:5069:500a/128
                                                      On-link
                    1    331 ff00::/8                On-link
                    6    281 ff00::/8                On-link
                  26    281 ff00::/8                On-link
                    9    311 ff00::/8                On-link
                  23    291 ff00::/8                On-link

                  Persistent Routes:
                    None

                  Hope that helps.

                  Carlos

                  1 Reply Last reply Reply Quote 0
                  • V
                    viragomann
                    last edited by

                    There is an incorrect route at site A pfSense:

                    
                    And here are for pfsense A (192.168.20.250)
                    
                    Destination   Gateway   Flags   Use   Mtu   Netif   Expire
                    10.0.10.0/24   10.0.9.2   UGS   2994   1500   ovpns2   
                    
                    

                    The tunnel subnet of site Bs clients 10.0.10.0/24 is routed to the site As mobile clients server. Check the config of this server. You should find an entry of 10.0.10.0/24 somewhere, maybe you have a client specific override for this server.

                    1 Reply Last reply Reply Quote 0
                    • N
                      newcmelgar
                      last edited by

                      Hi,
                      I still have the same results after cleaning up Site A (192.168.20.250). Now I have the following:

                      Destination Gateway Flags Use Mtu Netif Expire
                      10.0.8.0/24 10.0.8.1 UGS 0 1500 ovpns1
                      10.0.8.1 link#7 UHS 0 16384 lo0
                      10.0.8.2 link#7 UH 0 1500 ovpns1
                      10.0.9.0/24 10.0.9.1 UGS 0 1500 ovpns2
                      10.0.9.1 link#8 UHS 0 16384 lo0
                      10.0.9.2 link#8 UH 2241 1500 ovpns2
                      …
                      192.168.20.0/24 link#2 U 1501 1500 em1
                      192.168.20.250 link#2 UHS 0 16384 lo0
                      192.168.30.0/24 10.0.8.2 UGS 1054 1500 ovpns1

                      Now there is no routing for 10.0.10.0/24 on Site A.

                      On Site B (192.168.30.250), now I have this:

                      Destination Gateway Flags Use Mtu Netif Expire
                      10.0.8.0 link#8 UHS 0 16384 lo0
                      10.0.8.0/24 10.0.8.0 UGS 0 1500 ovpnc1
                      10.0.8.1 link#8 UH 0 1500 ovpnc1
                      10.0.9.0/24 10.0.8.1 UGS 590 1500 ovpnc1
                      10.0.10.0/24 10.0.10.1 UGS 0 1500 ovpns2
                      10.0.10.1 link#7 UHS 0 16384 lo0
                      10.0.10.2 link#7 UH 909 1500 ovpns2
                      ...
                      192.168.20.0/24 10.0.8.1 UGS 476 1500 ovpnc1
                      192.168.30.0/24 link#2 U 2569 1500 em1
                      192.168.30.250 link#2 UHS 0 16384 lo0


                      On Site A (192.168.20.250) I do have a Client Specific Override. Basically the common name, a description, and:

                      Tunnel: 10.0.8.0/24
                      Advanced: iroute 192.168.30.0 255.255.255.0

                      Not sure what to do next?

                      Carlos

                      1 Reply Last reply Reply Quote 0
                      • V
                        viragomann
                        last edited by

                        Now you are missing the route to 10.0.10.0/24 at site A totally. Go to the site A site-to-site OpenVPN server settings and enter or add 10.0.10.0/24 in the "IPv4 Remote Networks" box.

                        1 Reply Last reply Reply Quote 0
                        • N
                          newcmelgar
                          last edited by

                          I just added the 10.0.10.0/24 at site A (192.168.20.250) in the IPv4 Remote Networks like you said. Site A changed to:

                          Destination Gateway Flags Use Mtu Netif Expire
                          10.0.8.0/24 10.0.8.1 UGS 0 1500 ovpns1
                          10.0.8.1 link#7 UHS 0 16384 lo0
                          10.0.8.2 link#7 UH 0 1500 ovpns1
                          10.0.9.0/24 10.0.9.1 UGS 0 1500 ovpns2
                          10.0.9.1 link#8 UHS 0 16384 lo0
                          10.0.9.2 link#8 UH 139201 1500 ovpns2
                          10.0.10.0/24 10.0.8.2 UGS 0 1500 ovpns1
                          …
                          192.168.20.0/24 link#2 U 276518 1500 em1
                          192.168.20.250 link#2 UHS 0 16384 lo0
                          192.168.30.0/24 10.0.8.2 UGS 706 1500 ovpns1

                          Site B seems to remain the same:

                          Destination Gateway Flags Use Mtu Netif Expire
                          10.0.8.0 link#8 UHS 0 16384 lo0
                          10.0.8.0/24 10.0.8.0 UGS 0 1500 ovpnc1
                          10.0.8.1 link#8 UH 0 1500 ovpnc1
                          10.0.9.0/24 10.0.8.1 UGS 493 1500 ovpnc1
                          10.0.10.0/24 10.0.10.1 UGS 0 1500 ovpns2
                          10.0.10.1 link#7 UHS 0 16384 lo0
                          10.0.10.2 link#7 UH 7764 1500 ovpns2
                          ...
                          192.168.20.0/24 10.0.8.1 UGS 156 1500 ovpnc1
                          192.168.30.0/24 link#2 U 52051 1500 em1
                          192.168.30.250 link#2 UHS 0 16384 lo0

                          1 Reply Last reply Reply Quote 0
                          • V
                            viragomann
                            last edited by

                            The routing tables seem to be well now. Any success?

                            1 Reply Last reply Reply Quote 0
                            • N
                              newcmelgar
                              last edited by

                              Unfortunately no success. I have the same result.

                              My mobile client at 10.0.10.0/24 will not be able to go to 192.168.20.0/24. Can only go to 192.168.30.0/24 (and IPSec tunnels).

                              I tried something out as well. I disabled the Ipsec tunnels on Site B (192.168.30.250) but the same result that I cannot go to 192.168.20.0/24

                              What is funny is that if I RDP to a PC on 192.168.30.0/24, inside that PC, I can connect to all networks. Just the mobile client is the one with the problem.

                              No clue as to what to try next.

                              1 Reply Last reply Reply Quote 0
                              • V
                                viragomann
                                last edited by

                                Okay, since routes and firewall rules are well, maybe you have miss-configured the VPN interfaces. Have you assigned a particular interface to each OpenVPN instance (each server and client instance)? This is crucial for routing between multiple VPN instances.

                                If you haven't already, on both sites go to interface > assign, select a VPN instance under "Network port", click Add, then open the new interface and activate it. You can give it a meaningful name. Do this for each OpenVPN instance on both nodes. Now in Firewall > rules the new interfaces are shown as particular tabs and you have to define the needed firewall rules there.

                                1 Reply Last reply Reply Quote 0
                                • N
                                  newcmelgar
                                  last edited by

                                  I can only do this at Site B (192.168.30.250) for the time being as my office is now working. Site A is the main VPN Server that connects to all the other offices so can't be testing configurations. I will try this out in about 14 hours. For the time being, I have a a few question on this.

                                  For Site B (192.168.30.250)

                                  • What should I configure on the OPT1 on IPv4 Configuration Type?

                                  • Should it be Static IPv4 with IP 10.0.10.250 / 24?? 250 to be consistent with the other Sites.

                                  • Should the Gateway be set to None?

                                  • What should I configure on the OPT2 on IPv4 Configuration Type?

                                  • Should it be Static IPv4 with IP 10.0.8.250 / 24?? 250 to be consistent with the other Sites.

                                  • Should the Gateway be set to None?

                                  • But if I set OPT2 to 10.0.8.250, what about the other sites? Will it matter to have the same IP at other sites?

                                  None the less, I have just set it up like this in Site B (192.168.30.250). But no success. Again the same result.  :(

                                  The routing table is now:

                                  Destination Gateway Flags Use Mtu Netif Expire
                                  10.0.8.0 link#8 UHS 0 16384 lo0
                                  10.0.8.0/24 10.0.8.0 UGS 0 1500 ovpnc1
                                  10.0.8.1 link#8 UH 0 1500 ovpnc1
                                  10.0.9.0/24 10.0.8.1 UGS 0 1500 ovpnc1
                                  10.0.10.0/24 10.0.10.1 UGS 0 1500 ovpns2
                                  10.0.10.1 link#7 UHS 0 16384 lo0
                                  10.0.10.2 link#7 UH 1969 1500 ovpns2
                                  …
                                  192.168.20.0/24 10.0.8.1 UGS 231 1500 ovpnc1
                                  192.168.30.0/24 link#2 U 260449 1500 em1
                                  192.168.30.250 link#2 UHS 0 16384 lo0

                                  So it is back to being the same. I ensured that OPT1, OPT2 and OpenVPN firewall rules are all setup like this:

                                  Protocol Source Port Destination Port Gateway Queue Schedule
                                  IPv4 * * * * * * none

                                  So this is awkward.  :o

                                  I am wondering if it will make a difference wen I change Site A as I have just made a bunch of changes in Site B achieving the same result. So I am wondering if I should play around with Firewall Nat Outbound Mappings?? Currently these are set to automatic and have two created:

                                  Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
                                  WAN 127.0.0.0/8 192.168.30.0/24 10.0.10.0/24 10.0.8.0/24 * * 500 WAN address * Auto created rule for ISAKMP
                                  WAN 127.0.0.0/8 192.168.30.0/24 10.0.10.0/24 10.0.8.0/24 * * * WAN address * Auto created rule

                                  1 Reply Last reply Reply Quote 0
                                  • V
                                    viragomann
                                    last edited by

                                    There are no settings to be made in the interface config. Just activate and save it, no IP config. But it's recommended to give it a more meaningful name as "OPT1".

                                    This gives pfSense the availability to handle the VPN interfaces separately instead as an interface group. This doesn't effect any changes in the routing table.

                                    It's also conceivable to do NAT on an OpenVPN interface at site B, maybe it's easier to solve this issue, but a would prefer the routing method cause its more clean.

                                    For troubleshooting you can use the packet capture tool of pfSense from the Diagnostic menu. Try to access a host in LAN A from a mobile vpn client connected to site B while you do a packet capture at site As LAN interface. If you can see nothing, try the site-to-site VPN interface. Since the routes are well, the packets should arrive there.

                                    1 Reply Last reply Reply Quote 0
                                    • N
                                      newcmelgar
                                      last edited by

                                      Ok. So I have applied the Interface and Firewall (allow all) settings for both sites A and B. See screenshots attached for the confirmation. Weird how the MAINVPN tunnel is offline at Site A. Not sure if that is normal? But all is working from Site A to it's connections.

                                      On Site B (192.168.30.250), all seems to be ok in regards to all interfaces being online. Again, see screenshot. But now I have a new problem:

                                      • From the Mobile connection, I can't go to Site A (192.168.20.250). I can go to all Ipsec sites without an issue and also to 192.168.30.0/24 LAN.

                                      • From within the LAN connection, I can go to Site A (192.168.20.250) without an issue and of course also to the LAN 192.168.30.0/24. But I can no longer go to any IPSec Site even though the 20 tunnels are online. So we have gotten this as a new problem

                                      I have rebooted both sites pfsenses to ensure there was nothing weird. I ensured that all routes worked from Site A to all other Sites. So I expect no issues in my working offices. No problem should be reported on Site A. Nevertheless, all here is pfsense with OpenVPN connecting to other OpenVPNs so no issues are happening.

                                      Seems that all the problem is at Site B.  :o

                                      I did try the packet capture. But not sure what you want me to report back.

                                      ![192.168.20.250 after.png](/public/imported_attachments/1/192.168.20.250 after.png)
                                      ![192.168.20.250 after.png_thumb](/public/imported_attachments/1/192.168.20.250 after.png_thumb)
                                      ![192.168.30.250 after.png](/public/imported_attachments/1/192.168.30.250 after.png)
                                      ![192.168.30.250 after.png_thumb](/public/imported_attachments/1/192.168.30.250 after.png_thumb)

                                      1 Reply Last reply Reply Quote 0
                                      • N
                                        newcmelgar
                                        last edited by

                                        Anyone has any clue on this?

                                        1 Reply Last reply Reply Quote 0
                                        • iorxI
                                          iorx
                                          last edited by

                                          Hi!

                                          I hope I got your problem (I'm in a bit of a hurry  ;) )
                                          I've got similar setup up with OpenVPN connected sites and users which needed to be routed into a IPSEC subnet.
                                          This is how it was solved.

                                          • Setup a gateway on LAN interface which points to the LAN interface IP

                                          • Create a route for the IPSEC subnet which point to the LAN gateway

                                          • Define all subnets as 2nd phases on the IPSEC connection

                                          • Make sure the opposing side of the IPSEC connection allow the incoming subnet you have.

                                          This made it work for me. All OpenVPN road warriors and OpenVPN connected site-to-site are able to get traffic routed through the IPSEC tunnel.

                                          Don't know if there is another way or solved differently on later versions. This config is on pfSense 2.2.4

                                          Brgs,

                                          1 Reply Last reply Reply Quote 0
                                          • N
                                            newcmelgar
                                            last edited by

                                            Hi iorx,
                                            The OpenVPN road warrior can go to all the LAN where it is connected to as well as all the Ipsec tunnels. Where I have a problem is that the OpenVPN road warrior cannot go to other OpenVPN site-to-sites…

                                            Regards,

                                            Carlos

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.