Client Export to OpenVPN Site to IPSec



  • Hi,
    I am not sure what I am doing wrong. I have have 2 pfsense boxes connected site-to-site working well like so:


    pfsense A 192.168.20.250 for SITES:
    Server Mode: Peer to peer SSL/TLS
    Protocol: UDP
    Device mode: tun
    Interface: WAN
    Local Port: 1194
    Tunnel: 10.0.8.0/24
    Local Networks: 192.168.20.0/24
    Custom Options: route 192.168.30.0 255.255.255.0; push "route 192.168.30.0 255.255.255.0";

    pfsense A 192.168.20.250 for MOBILE CLIENTS:
    Server Mode: Peer to peer SSL/TLS
    Protocol: UDP
    Device mode: tun
    Interface: WAN
    Local Port: 1190
    Tunnel: 10.0.9.0/24
    Local Networks: 192.168.20.0/24
    Custom Options: route 192.168.30.0 255.255.255.0; push "route 192.168.30.0 255.255.255.0";


    pfsense B 192.168.30.250 to connect to SITE:
    Server Mode: Peer to peer SSL/TLS
    Protocol: UDP
    Device mode: tun
    Interface: WAN
    Server Host: pfsense A WAN IP
    Server Port: 1194
    Tunnel: 10.0.8.0/24
    Remote Networks: 192.168.20.0/24
    Custom Options: route 192.168.20.0 255.255.255.0; push "route 192.168.20.0 255.255.255.0";

    pfsense B 192.168.30.250 for MOBILE CLIENTS:
    Server Mode: Peer to peer SSL/TLS
    Protocol: UDP
    Device mode: tun
    Interface: WAN
    Local Port: 1190
    Tunnel: 10.0.10.0/24
    Local Networks: 192.168.20.0/24
    Custom Options: route 192.168.20.0 255.255.255.0; push "route 192.168.20.0 255.255.255.0";

    Additionally I have an IPSec tunnel like so:
    Key Exchange: V1
    Protocol: IPv4
    Interface: WAN
    Remote Gateway: Sonicwall X WAN IP
    with 2 phases:

    1. 192.168.30.0/24 to 10.5.0.0/24
    2. 10.0.10.0/24 to 10.5.0.0/24

    When I am on a PC on site A (192.168.20.0/24) I can go to Site B (192.168.30.0/24) and cannot go to the IPSec site (10.5.0.0/24). This works just as expected.

    When I am on a mobile connection to site A (192.168.20.0/24) I can go to Site B (192.168.30.0/24) and cannot go to the IPSec site (10.5.0.0/24). This works just as expected.

    When I am on a PC on site B (192.168.30.0/24) I can go to Site A (192.168.20.0/24) and can go to the IPSec site (10.5.0.0/24). This works just as expected.

    When I am on a mobile connection to site B (192.168.30.0/24) I CANNOT go to Site A (192.168.20.0/24) and can go to the IPSec site (10.5.0.0/24). I am glad I can go to the IPSec site but I need to get to site A (192.168.20.0/24). THIS IS MY MAIN PROBLEM.

    Any ideas will be greatly appreciated on how to fix this.

    Thanks,

    Carlos




  • Hi,
    Sorry. I am new to the forums and just realized I had posted with a lock. I have unlocked the post now.

    Hope someone can help with this issue.

    Thanks!

    Carlos



  • Edit the sites A site-to-site config and add 10.0.10.0/24 to the "Remote network/s".



  • Thanks for the reply viragomann!

    I added 10.0.10.0/24 to the Remote Networks box on Site A. Also tried adding under Site A custom options:

    route 10.0.10.0 255.255.255.0; push "route 10.0.10.0 255.255.255.0";

    I did combinations and reboot of the OpenVPN Service. But it didn't work. The mobile connection to Site B can go to IPSec but CANNOT go to Site A.



  • So the routes should be set correctly now. But to ensure, check it at the mobile client and also at site A pfSense.

    Also ensure that firewall rules allow the access at both sites from 10.0.10.0/24 to 192.168.20.0/24.



  • Nope. Can't get it working yet. Here are the Routing tables from pfsense B (192.168.30.250)

    Destination Gateway Flags Use Mtu Netif Expire
    default x.x.x.97 UGS 3139593 1500 em0
    10.0.8.0 link#8 UHS 0 16384 lo0
    10.0.8.0/24 10.0.8.0 UGS 0 1500 ovpnc1
    10.0.8.1 link#8 UH 0 1500 ovpnc1
    10.0.9.0/24 10.0.8.1 UGS 1649 1500 ovpnc1
    10.0.10.0/24 10.0.10.1 UGS 0 1500 ovpns2
    10.0.10.1 link#7 UHS 0 16384 lo0
    10.0.10.2 link#7 UH 6444 1500 ovpns2
    x.x.x.96/27 link#1 U 1045333 1500 em0
    x.x.x.116 link#1 UHS 0 16384 lo0
    x.x.x.117 link#1 UHS 0 16384 lo0
    127.0.0.1 link#6 UH 0 16384 lo0
    192.168.4.0/24 10.0.8.1 UGS 0 1500 ovpnc1
    192.168.5.0/24 10.0.8.1 UGS 115 1500 ovpnc1
    192.168.6.0/24 10.0.8.1 UGS 76 1500 ovpnc1
    192.168.7.0/24 10.0.8.1 UGS 0 1500 ovpnc1
    192.168.20.0/24 10.0.8.1 UGS 456 1500 ovpnc1
    192.168.30.0/24 link#2 U 1273500 1500 em1
    192.168.30.250 link#2 UHS 0 16384 lo0
    192.168.40.0/24 10.0.8.1 UGS 0 1500 ovpnc1

    And here are for pfsense A (192.168.20.250)

    Destination Gateway Flags Use Mtu Netif Expire
    0.0.0.0/32 10.0.8.2 UGS 0 1500 ovpns1
    default x.x.x.97 UGS 1762959 1500 em0
    10.0.8.0/24 10.0.8.1 UGS 0 1500 ovpns1
    10.0.8.1 link#7 UHS 0 16384 lo0
    10.0.8.2 link#7 UH 0 1500 ovpns1
    10.0.9.0/24 10.0.9.1 UGS 0 1500 ovpns2
    10.0.9.1 link#8 UHS 0 16384 lo0
    10.0.9.2 link#8 UH 267514 1500 ovpns2
    10.0.10.0/24 10.0.9.2 UGS 2994 1500 ovpns2
    x.x.x.x/27 link#1 U 937740 1500 em0
    x.x.x.115 link#1 UHS 0 16384 lo0
    127.0.0.1 link#6 UH 0 16384 lo0
    192.168.4.0/24 10.0.8.2 UGS 41 1500 ovpns1
    192.168.5.0/24 10.0.8.2 UGS 473 1500 ovpns1
    192.168.6.0/24 10.0.8.2 UGS 479 1500 ovpns1
    192.168.7.0/24 10.0.8.2 UGS 195 1500 ovpns1
    192.168.20.0/24 link#2 U 1453072 1500 em1
    192.168.20.250 link#2 UHS 0 16384 lo0
    192.168.30.0/24 10.0.8.2 UGS 1905 1500 ovpns1
    192.168.40.0/24 10.0.8.2 UGS 0 1500 ovpns1

    I also checked the firewall in both firewalls. And I have an identical rules at both like so:

    IPv4 * * * * * * none

    Still no clue why it doesn't work. But hopefully the routing tables will provide you with a hint. I have hidden my Gateway and IP for obvious reasons with an x.x.x. Sorry.

    Regards,

    Carlos



  • And here are my routing tables when I am connected to site B (192.168.30.250)

    C:\WINDOWS\system32>route print

    Interface List
    20…84 7b eb 17 a8 06 ......Realtek PCIe FE Family Controller
      6...0a 00 27 00 00 00 ......VirtualBox Host-Only Ethernet Adapter
    26...0a 00 27 00 00 00 ......VirtualBox Host-Only Ethernet Adapter #2
    22...2c 6e 85 66 1d 91 ......Microsoft Wi-Fi Direct Virtual Adapter
    23...00 ff de 33 76 23 ......TAP-Windows Adapter V9
      9...2c 6e 85 66 1d 90 ......Intel(R) Dual Band Wireless-AC 3160
      5...2c 6e 85 66 1d 94 ......Bluetooth Device (Personal Area Network)
      1...........................Software Loopback Interface 1
    14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
    10...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
    12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
    13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
    21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0      192.168.2.1      192.168.3.8    55
              0.0.0.0        128.0.0.0        10.0.10.1        10.0.10.2    35
            10.0.9.0    255.255.255.0        10.0.10.1        10.0.10.2    35
            10.0.10.0    255.255.255.0        On-link        10.0.10.2    291
            10.0.10.0    255.255.255.0        10.0.10.1        10.0.10.2    35
            10.0.10.2  255.255.255.255        On-link        10.0.10.2    291
          10.0.10.255  255.255.255.255        On-link        10.0.10.2    291
        x.x.x.116  255.255.255.255      192.168.2.1      192.168.3.8    55
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    331
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    331
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    331
            128.0.0.0        128.0.0.0        10.0.10.1        10.0.10.2    35
          192.168.0.0    255.255.252.0        On-link      192.168.3.8    311
          192.168.3.8  255.255.255.255        On-link      192.168.3.8    311
        192.168.3.255  255.255.255.255        On-link      192.168.3.8    311
          192.168.4.0    255.255.255.0        10.0.10.1        10.0.10.2    35
          192.168.5.0    255.255.255.0        10.0.10.1        10.0.10.2    35
          192.168.6.0    255.255.255.0        10.0.10.1        10.0.10.2    35
          192.168.7.0    255.255.255.0        10.0.10.1        10.0.10.2    35
        192.168.20.0    255.255.255.0        10.0.10.1        10.0.10.2    35
        192.168.30.0    255.255.255.0        10.0.10.1        10.0.10.2    35
        192.168.56.0    255.255.255.0        On-link      192.168.56.1    281
        192.168.56.1  255.255.255.255        On-link      192.168.56.1    281
      192.168.56.255  255.255.255.255        On-link      192.168.56.1    281
        192.168.84.0    255.255.255.0        On-link      192.168.84.2    281
        192.168.84.2  255.255.255.255        On-link      192.168.84.2    281
      192.168.84.255  255.255.255.255        On-link      192.168.84.2    281
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    331
            224.0.0.0        240.0.0.0        On-link      192.168.56.1    281
            224.0.0.0        240.0.0.0        On-link      192.168.84.2    281
            224.0.0.0        240.0.0.0        On-link      192.168.3.8    311
            224.0.0.0        240.0.0.0        On-link        10.0.10.2    291
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    331
      255.255.255.255  255.255.255.255        On-link      192.168.56.1    281
      255.255.255.255  255.255.255.255        On-link      192.168.84.2    281
      255.255.255.255  255.255.255.255        On-link      192.168.3.8    311
      255.255.255.255  255.255.255.255        On-link        10.0.10.2    291

    Persistent Routes:
      None

    IPv6 Route Table

    Active Routes:
    If Metric Network Destination      Gateway
      1    331 ::1/128                  On-link
      6    281 fe80::/64                On-link
    26    281 fe80::/64                On-link
      9    311 fe80::/64                On-link
    23    291 fe80::/64                On-link
      9    311 fe80::1e2:f48:2ace:c530/128
                                        On-link
      6    281 fe80::60db:46be:e86b:8581/128
                                        On-link
    26    281 fe80::7d7a:d293:1452:9ea4/128
                                        On-link
    23    291 fe80::cdbd:8d00:5069:500a/128
                                        On-link
      1    331 ff00::/8                On-link
      6    281 ff00::/8                On-link
    26    281 ff00::/8                On-link
      9    311 ff00::/8                On-link
    23    291 ff00::/8                On-link

    Persistent Routes:
      None

    And here are when I am connected to site A (192.168.20.250)

    C:\WINDOWS\system32>route print

    Interface List
    20...84 7b eb 17 a8 06 ......Realtek PCIe FE Family Controller
      6...0a 00 27 00 00 00 ......VirtualBox Host-Only Ethernet Adapter
    26...0a 00 27 00 00 00 ......VirtualBox Host-Only Ethernet Adapter #2
    22...2c 6e 85 66 1d 91 ......Microsoft Wi-Fi Direct Virtual Adapter
    23...00 ff de 33 76 23 ......TAP-Windows Adapter V9
      9...2c 6e 85 66 1d 90 ......Intel(R) Dual Band Wireless-AC 3160
      5...2c 6e 85 66 1d 94 ......Bluetooth Device (Personal Area Network)
      1...........................Software Loopback Interface 1
    14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
    10...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
    12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
    13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
    21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0      192.168.2.1      192.168.3.8    55
              0.0.0.0        128.0.0.0        10.0.9.1        10.0.9.2    35
            10.0.9.0    255.255.255.0        On-link          10.0.9.2    291
            10.0.9.0    255.255.255.0        10.0.9.1        10.0.9.2    35
            10.0.9.2  255.255.255.255        On-link          10.0.9.2    291
          10.0.9.255  255.255.255.255        On-link          10.0.9.2    291
            10.0.10.0    255.255.255.0        10.0.9.1        10.0.9.2    35
        x.x.x.115  255.255.255.255      192.168.2.1      192.168.3.8    55
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    331
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    331
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    331
            128.0.0.0        128.0.0.0        10.0.9.1        10.0.9.2    35
          192.168.0.0    255.255.252.0        On-link      192.168.3.8    311
          192.168.3.8  255.255.255.255        On-link      192.168.3.8    311
        192.168.3.255  255.255.255.255        On-link      192.168.3.8    311
          192.168.4.0    255.255.255.0        10.0.9.1        10.0.9.2    35
          192.168.5.0    255.255.255.0        10.0.9.1        10.0.9.2    35
          192.168.6.0    255.255.255.0        10.0.9.1        10.0.9.2    35
          192.168.7.0    255.255.255.0        10.0.9.1        10.0.9.2    35
        192.168.20.0    255.255.255.0        10.0.9.1        10.0.9.2    35
        192.168.30.0    255.255.255.0        10.0.9.1        10.0.9.2    35
        192.168.40.0    255.255.255.0        10.0.9.1        10.0.9.2    35
        192.168.56.0    255.255.255.0        On-link      192.168.56.1    281
        192.168.56.1  255.255.255.255        On-link      192.168.56.1    281
      192.168.56.255  255.255.255.255        On-link      192.168.56.1    281
        192.168.84.0    255.255.255.0        On-link      192.168.84.2    281
        192.168.84.2  255.255.255.255        On-link      192.168.84.2    281
      192.168.84.255  255.255.255.255        On-link      192.168.84.2    281
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    331
            224.0.0.0        240.0.0.0        On-link      192.168.56.1    281
            224.0.0.0        240.0.0.0        On-link      192.168.84.2    281
            224.0.0.0        240.0.0.0        On-link      192.168.3.8    311
            224.0.0.0        240.0.0.0        On-link          10.0.9.2    291
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    331
      255.255.255.255  255.255.255.255        On-link      192.168.56.1    281
      255.255.255.255  255.255.255.255        On-link      192.168.84.2    281
      255.255.255.255  255.255.255.255        On-link      192.168.3.8    311
      255.255.255.255  255.255.255.255        On-link          10.0.9.2    291

    Persistent Routes:
      None

    IPv6 Route Table

    Active Routes:
    If Metric Network Destination      Gateway
      1    331 ::1/128                  On-link
      6    281 fe80::/64                On-link
    26    281 fe80::/64                On-link
      9    311 fe80::/64                On-link
    23    291 fe80::/64                On-link
      9    311 fe80::1e2:f48:2ace:c530/128
                                        On-link
      6    281 fe80::60db:46be:e86b:8581/128
                                        On-link
    26    281 fe80::7d7a:d293:1452:9ea4/128
                                        On-link
    23    291 fe80::cdbd:8d00:5069:500a/128
                                        On-link
      1    331 ff00::/8                On-link
      6    281 ff00::/8                On-link
    26    281 ff00::/8                On-link
      9    311 ff00::/8                On-link
    23    291 ff00::/8                On-link

    Persistent Routes:
      None

    Hope that helps.

    Carlos



  • There is an incorrect route at site A pfSense:

    
    And here are for pfsense A (192.168.20.250)
    
    Destination   Gateway   Flags   Use   Mtu   Netif   Expire
    10.0.10.0/24   10.0.9.2   UGS   2994   1500   ovpns2   
    
    

    The tunnel subnet of site Bs clients 10.0.10.0/24 is routed to the site As mobile clients server. Check the config of this server. You should find an entry of 10.0.10.0/24 somewhere, maybe you have a client specific override for this server.



  • Hi,
    I still have the same results after cleaning up Site A (192.168.20.250). Now I have the following:

    Destination Gateway Flags Use Mtu Netif Expire
    10.0.8.0/24 10.0.8.1 UGS 0 1500 ovpns1
    10.0.8.1 link#7 UHS 0 16384 lo0
    10.0.8.2 link#7 UH 0 1500 ovpns1
    10.0.9.0/24 10.0.9.1 UGS 0 1500 ovpns2
    10.0.9.1 link#8 UHS 0 16384 lo0
    10.0.9.2 link#8 UH 2241 1500 ovpns2

    192.168.20.0/24 link#2 U 1501 1500 em1
    192.168.20.250 link#2 UHS 0 16384 lo0
    192.168.30.0/24 10.0.8.2 UGS 1054 1500 ovpns1

    Now there is no routing for 10.0.10.0/24 on Site A.

    On Site B (192.168.30.250), now I have this:

    Destination Gateway Flags Use Mtu Netif Expire
    10.0.8.0 link#8 UHS 0 16384 lo0
    10.0.8.0/24 10.0.8.0 UGS 0 1500 ovpnc1
    10.0.8.1 link#8 UH 0 1500 ovpnc1
    10.0.9.0/24 10.0.8.1 UGS 590 1500 ovpnc1
    10.0.10.0/24 10.0.10.1 UGS 0 1500 ovpns2
    10.0.10.1 link#7 UHS 0 16384 lo0
    10.0.10.2 link#7 UH 909 1500 ovpns2
    ...
    192.168.20.0/24 10.0.8.1 UGS 476 1500 ovpnc1
    192.168.30.0/24 link#2 U 2569 1500 em1
    192.168.30.250 link#2 UHS 0 16384 lo0


    On Site A (192.168.20.250) I do have a Client Specific Override. Basically the common name, a description, and:

    Tunnel: 10.0.8.0/24
    Advanced: iroute 192.168.30.0 255.255.255.0

    Not sure what to do next?

    Carlos



  • Now you are missing the route to 10.0.10.0/24 at site A totally. Go to the site A site-to-site OpenVPN server settings and enter or add 10.0.10.0/24 in the "IPv4 Remote Networks" box.



  • I just added the 10.0.10.0/24 at site A (192.168.20.250) in the IPv4 Remote Networks like you said. Site A changed to:

    Destination Gateway Flags Use Mtu Netif Expire
    10.0.8.0/24 10.0.8.1 UGS 0 1500 ovpns1
    10.0.8.1 link#7 UHS 0 16384 lo0
    10.0.8.2 link#7 UH 0 1500 ovpns1
    10.0.9.0/24 10.0.9.1 UGS 0 1500 ovpns2
    10.0.9.1 link#8 UHS 0 16384 lo0
    10.0.9.2 link#8 UH 139201 1500 ovpns2
    10.0.10.0/24 10.0.8.2 UGS 0 1500 ovpns1

    192.168.20.0/24 link#2 U 276518 1500 em1
    192.168.20.250 link#2 UHS 0 16384 lo0
    192.168.30.0/24 10.0.8.2 UGS 706 1500 ovpns1

    Site B seems to remain the same:

    Destination Gateway Flags Use Mtu Netif Expire
    10.0.8.0 link#8 UHS 0 16384 lo0
    10.0.8.0/24 10.0.8.0 UGS 0 1500 ovpnc1
    10.0.8.1 link#8 UH 0 1500 ovpnc1
    10.0.9.0/24 10.0.8.1 UGS 493 1500 ovpnc1
    10.0.10.0/24 10.0.10.1 UGS 0 1500 ovpns2
    10.0.10.1 link#7 UHS 0 16384 lo0
    10.0.10.2 link#7 UH 7764 1500 ovpns2
    ...
    192.168.20.0/24 10.0.8.1 UGS 156 1500 ovpnc1
    192.168.30.0/24 link#2 U 52051 1500 em1
    192.168.30.250 link#2 UHS 0 16384 lo0



  • The routing tables seem to be well now. Any success?



  • Unfortunately no success. I have the same result.

    My mobile client at 10.0.10.0/24 will not be able to go to 192.168.20.0/24. Can only go to 192.168.30.0/24 (and IPSec tunnels).

    I tried something out as well. I disabled the Ipsec tunnels on Site B (192.168.30.250) but the same result that I cannot go to 192.168.20.0/24

    What is funny is that if I RDP to a PC on 192.168.30.0/24, inside that PC, I can connect to all networks. Just the mobile client is the one with the problem.

    No clue as to what to try next.



  • Okay, since routes and firewall rules are well, maybe you have miss-configured the VPN interfaces. Have you assigned a particular interface to each OpenVPN instance (each server and client instance)? This is crucial for routing between multiple VPN instances.

    If you haven't already, on both sites go to interface > assign, select a VPN instance under "Network port", click Add, then open the new interface and activate it. You can give it a meaningful name. Do this for each OpenVPN instance on both nodes. Now in Firewall > rules the new interfaces are shown as particular tabs and you have to define the needed firewall rules there.



  • I can only do this at Site B (192.168.30.250) for the time being as my office is now working. Site A is the main VPN Server that connects to all the other offices so can't be testing configurations. I will try this out in about 14 hours. For the time being, I have a a few question on this.

    For Site B (192.168.30.250)

    • What should I configure on the OPT1 on IPv4 Configuration Type?

    • Should it be Static IPv4 with IP 10.0.10.250 / 24?? 250 to be consistent with the other Sites.

    • Should the Gateway be set to None?

    • What should I configure on the OPT2 on IPv4 Configuration Type?

    • Should it be Static IPv4 with IP 10.0.8.250 / 24?? 250 to be consistent with the other Sites.

    • Should the Gateway be set to None?

    • But if I set OPT2 to 10.0.8.250, what about the other sites? Will it matter to have the same IP at other sites?

    None the less, I have just set it up like this in Site B (192.168.30.250). But no success. Again the same result.  :(

    The routing table is now:

    Destination Gateway Flags Use Mtu Netif Expire
    10.0.8.0 link#8 UHS 0 16384 lo0
    10.0.8.0/24 10.0.8.0 UGS 0 1500 ovpnc1
    10.0.8.1 link#8 UH 0 1500 ovpnc1
    10.0.9.0/24 10.0.8.1 UGS 0 1500 ovpnc1
    10.0.10.0/24 10.0.10.1 UGS 0 1500 ovpns2
    10.0.10.1 link#7 UHS 0 16384 lo0
    10.0.10.2 link#7 UH 1969 1500 ovpns2

    192.168.20.0/24 10.0.8.1 UGS 231 1500 ovpnc1
    192.168.30.0/24 link#2 U 260449 1500 em1
    192.168.30.250 link#2 UHS 0 16384 lo0

    So it is back to being the same. I ensured that OPT1, OPT2 and OpenVPN firewall rules are all setup like this:

    Protocol Source Port Destination Port Gateway Queue Schedule
    IPv4 * * * * * * none

    So this is awkward.  :o

    I am wondering if it will make a difference wen I change Site A as I have just made a bunch of changes in Site B achieving the same result. So I am wondering if I should play around with Firewall Nat Outbound Mappings?? Currently these are set to automatic and have two created:

    Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
    WAN 127.0.0.0/8 192.168.30.0/24 10.0.10.0/24 10.0.8.0/24 * * 500 WAN address * Auto created rule for ISAKMP
    WAN 127.0.0.0/8 192.168.30.0/24 10.0.10.0/24 10.0.8.0/24 * * * WAN address * Auto created rule



  • There are no settings to be made in the interface config. Just activate and save it, no IP config. But it's recommended to give it a more meaningful name as "OPT1".

    This gives pfSense the availability to handle the VPN interfaces separately instead as an interface group. This doesn't effect any changes in the routing table.

    It's also conceivable to do NAT on an OpenVPN interface at site B, maybe it's easier to solve this issue, but a would prefer the routing method cause its more clean.

    For troubleshooting you can use the packet capture tool of pfSense from the Diagnostic menu. Try to access a host in LAN A from a mobile vpn client connected to site B while you do a packet capture at site As LAN interface. If you can see nothing, try the site-to-site VPN interface. Since the routes are well, the packets should arrive there.



  • Ok. So I have applied the Interface and Firewall (allow all) settings for both sites A and B. See screenshots attached for the confirmation. Weird how the MAINVPN tunnel is offline at Site A. Not sure if that is normal? But all is working from Site A to it's connections.

    On Site B (192.168.30.250), all seems to be ok in regards to all interfaces being online. Again, see screenshot. But now I have a new problem:

    • From the Mobile connection, I can't go to Site A (192.168.20.250). I can go to all Ipsec sites without an issue and also to 192.168.30.0/24 LAN.

    • From within the LAN connection, I can go to Site A (192.168.20.250) without an issue and of course also to the LAN 192.168.30.0/24. But I can no longer go to any IPSec Site even though the 20 tunnels are online. So we have gotten this as a new problem

    I have rebooted both sites pfsenses to ensure there was nothing weird. I ensured that all routes worked from Site A to all other Sites. So I expect no issues in my working offices. No problem should be reported on Site A. Nevertheless, all here is pfsense with OpenVPN connecting to other OpenVPNs so no issues are happening.

    Seems that all the problem is at Site B.  :o

    I did try the packet capture. But not sure what you want me to report back.

    ![192.168.20.250 after.png](/public/imported_attachments/1/192.168.20.250 after.png)
    ![192.168.20.250 after.png_thumb](/public/imported_attachments/1/192.168.20.250 after.png_thumb)
    ![192.168.30.250 after.png](/public/imported_attachments/1/192.168.30.250 after.png)
    ![192.168.30.250 after.png_thumb](/public/imported_attachments/1/192.168.30.250 after.png_thumb)



  • Anyone has any clue on this?



  • Hi!

    I hope I got your problem (I'm in a bit of a hurry  ;) )
    I've got similar setup up with OpenVPN connected sites and users which needed to be routed into a IPSEC subnet.
    This is how it was solved.

    • Setup a gateway on LAN interface which points to the LAN interface IP

    • Create a route for the IPSEC subnet which point to the LAN gateway

    • Define all subnets as 2nd phases on the IPSEC connection

    • Make sure the opposing side of the IPSEC connection allow the incoming subnet you have.

    This made it work for me. All OpenVPN road warriors and OpenVPN connected site-to-site are able to get traffic routed through the IPSEC tunnel.

    Don't know if there is another way or solved differently on later versions. This config is on pfSense 2.2.4

    Brgs,



  • Hi iorx,
    The OpenVPN road warrior can go to all the LAN where it is connected to as well as all the Ipsec tunnels. Where I have a problem is that the OpenVPN road warrior cannot go to other OpenVPN site-to-sites…

    Regards,

    Carlos