Client Export to OpenVPN Site to IPSec

newcmelgar

Hi,
I am not sure what I am doing wrong. I have have 2 pfsense boxes connected site-to-site working well like so:

pfsense A 192.168.20.250 for SITES:
Server Mode: Peer to peer SSL/TLS
Protocol: UDP
Device mode: tun
Interface: WAN
Local Port: 1194
Tunnel: 10.0.8.0/24
Local Networks: 192.168.20.0/24
Custom Options: route 192.168.30.0 255.255.255.0; push "route 192.168.30.0 255.255.255.0";

pfsense A 192.168.20.250 for MOBILE CLIENTS:
Server Mode: Peer to peer SSL/TLS
Protocol: UDP
Device mode: tun
Interface: WAN
Local Port: 1190
Tunnel: 10.0.9.0/24
Local Networks: 192.168.20.0/24
Custom Options: route 192.168.30.0 255.255.255.0; push "route 192.168.30.0 255.255.255.0";

pfsense B 192.168.30.250 to connect to SITE:
Server Mode: Peer to peer SSL/TLS
Protocol: UDP
Device mode: tun
Interface: WAN
Server Host: pfsense A WAN IP
Server Port: 1194
Tunnel: 10.0.8.0/24
Remote Networks: 192.168.20.0/24
Custom Options: route 192.168.20.0 255.255.255.0; push "route 192.168.20.0 255.255.255.0";

pfsense B 192.168.30.250 for MOBILE CLIENTS:
Server Mode: Peer to peer SSL/TLS
Protocol: UDP
Device mode: tun
Interface: WAN
Local Port: 1190
Tunnel: 10.0.10.0/24
Local Networks: 192.168.20.0/24
Custom Options: route 192.168.20.0 255.255.255.0; push "route 192.168.20.0 255.255.255.0";

Additionally I have an IPSec tunnel like so:
Key Exchange: V1
Protocol: IPv4
Interface: WAN
Remote Gateway: Sonicwall X WAN IP
with 2 phases:

192.168.30.0/24 to 10.5.0.0/24
10.0.10.0/24 to 10.5.0.0/24

When I am on a PC on site A (192.168.20.0/24) I can go to Site B (192.168.30.0/24) and cannot go to the IPSec site (10.5.0.0/24). This works just as expected.

When I am on a mobile connection to site A (192.168.20.0/24) I can go to Site B (192.168.30.0/24) and cannot go to the IPSec site (10.5.0.0/24). This works just as expected.

When I am on a PC on site B (192.168.30.0/24) I can go to Site A (192.168.20.0/24) and can go to the IPSec site (10.5.0.0/24). This works just as expected.

When I am on a mobile connection to site B (192.168.30.0/24) I CANNOT go to Site A (192.168.20.0/24) and can go to the IPSec site (10.5.0.0/24). I am glad I can go to the IPSec site but I need to get to site A (192.168.20.0/24). THIS IS MY MAIN PROBLEM.

Any ideas will be greatly appreciated on how to fix this.

Thanks,

Carlos

newcmelgar

Hi,
Sorry. I am new to the forums and just realized I had posted with a lock. I have unlocked the post now.

Hope someone can help with this issue.

Thanks!

Carlos

viragomann

Edit the sites A site-to-site config and add 10.0.10.0/24 to the "Remote network/s".

newcmelgar

Thanks for the reply viragomann!

I added 10.0.10.0/24 to the Remote Networks box on Site A. Also tried adding under Site A custom options:

route 10.0.10.0 255.255.255.0; push "route 10.0.10.0 255.255.255.0";

I did combinations and reboot of the OpenVPN Service. But it didn't work. The mobile connection to Site B can go to IPSec but CANNOT go to Site A.

viragomann

So the routes should be set correctly now. But to ensure, check it at the mobile client and also at site A pfSense.

Also ensure that firewall rules allow the access at both sites from 10.0.10.0/24 to 192.168.20.0/24.

newcmelgar

Nope. Can't get it working yet. Here are the Routing tables from pfsense B (192.168.30.250)

Destination Gateway Flags Use Mtu Netif Expire
default x.x.x.97 UGS 3139593 1500 em0
10.0.8.0 link#8 UHS 0 16384 lo0
10.0.8.0/24 10.0.8.0 UGS 0 1500 ovpnc1
10.0.8.1 link#8 UH 0 1500 ovpnc1
10.0.9.0/24 10.0.8.1 UGS 1649 1500 ovpnc1
10.0.10.0/24 10.0.10.1 UGS 0 1500 ovpns2
10.0.10.1 link#7 UHS 0 16384 lo0
10.0.10.2 link#7 UH 6444 1500 ovpns2
x.x.x.96/27 link#1 U 1045333 1500 em0
x.x.x.116 link#1 UHS 0 16384 lo0
x.x.x.117 link#1 UHS 0 16384 lo0
127.0.0.1 link#6 UH 0 16384 lo0
192.168.4.0/24 10.0.8.1 UGS 0 1500 ovpnc1
192.168.5.0/24 10.0.8.1 UGS 115 1500 ovpnc1
192.168.6.0/24 10.0.8.1 UGS 76 1500 ovpnc1
192.168.7.0/24 10.0.8.1 UGS 0 1500 ovpnc1
192.168.20.0/24 10.0.8.1 UGS 456 1500 ovpnc1
192.168.30.0/24 link#2 U 1273500 1500 em1
192.168.30.250 link#2 UHS 0 16384 lo0
192.168.40.0/24 10.0.8.1 UGS 0 1500 ovpnc1

And here are for pfsense A (192.168.20.250)

Destination Gateway Flags Use Mtu Netif Expire
0.0.0.0/32 10.0.8.2 UGS 0 1500 ovpns1
default x.x.x.97 UGS 1762959 1500 em0
10.0.8.0/24 10.0.8.1 UGS 0 1500 ovpns1
10.0.8.1 link#7 UHS 0 16384 lo0
10.0.8.2 link#7 UH 0 1500 ovpns1
10.0.9.0/24 10.0.9.1 UGS 0 1500 ovpns2
10.0.9.1 link#8 UHS 0 16384 lo0
10.0.9.2 link#8 UH 267514 1500 ovpns2
10.0.10.0/24 10.0.9.2 UGS 2994 1500 ovpns2
x.x.x.x/27 link#1 U 937740 1500 em0
x.x.x.115 link#1 UHS 0 16384 lo0
127.0.0.1 link#6 UH 0 16384 lo0
192.168.4.0/24 10.0.8.2 UGS 41 1500 ovpns1
192.168.5.0/24 10.0.8.2 UGS 473 1500 ovpns1
192.168.6.0/24 10.0.8.2 UGS 479 1500 ovpns1
192.168.7.0/24 10.0.8.2 UGS 195 1500 ovpns1
192.168.20.0/24 link#2 U 1453072 1500 em1
192.168.20.250 link#2 UHS 0 16384 lo0
192.168.30.0/24 10.0.8.2 UGS 1905 1500 ovpns1
192.168.40.0/24 10.0.8.2 UGS 0 1500 ovpns1

I also checked the firewall in both firewalls. And I have an identical rules at both like so:

IPv4 * * * * * * none

Still no clue why it doesn't work. But hopefully the routing tables will provide you with a hint. I have hidden my Gateway and IP for obvious reasons with an x.x.x. Sorry.

Regards,

Carlos

newcmelgar

And here are my routing tables when I am connected to site B (192.168.30.250)

C:\WINDOWS\system32>route print

Interface List
20…84 7b eb 17 a8 06 ......Realtek PCIe FE Family Controller
6...0a 00 27 00 00 00 ......VirtualBox Host-Only Ethernet Adapter
26...0a 00 27 00 00 00 ......VirtualBox Host-Only Ethernet Adapter #2
22...2c 6e 85 66 1d 91 ......Microsoft Wi-Fi Direct Virtual Adapter
23...00 ff de 33 76 23 ......TAP-Windows Adapter V9
9...2c 6e 85 66 1d 90 ......Intel(R) Dual Band Wireless-AC 3160
5...2c 6e 85 66 1d 94 ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
10...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6

IPv4 Route Table

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.3.8 55
0.0.0.0 128.0.0.0 10.0.10.1 10.0.10.2 35
10.0.9.0 255.255.255.0 10.0.10.1 10.0.10.2 35
10.0.10.0 255.255.255.0 On-link 10.0.10.2 291
10.0.10.0 255.255.255.0 10.0.10.1 10.0.10.2 35
10.0.10.2 255.255.255.255 On-link 10.0.10.2 291
10.0.10.255 255.255.255.255 On-link 10.0.10.2 291
x.x.x.116 255.255.255.255 192.168.2.1 192.168.3.8 55
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
128.0.0.0 128.0.0.0 10.0.10.1 10.0.10.2 35
192.168.0.0 255.255.252.0 On-link 192.168.3.8 311
192.168.3.8 255.255.255.255 On-link 192.168.3.8 311
192.168.3.255 255.255.255.255 On-link 192.168.3.8 311
192.168.4.0 255.255.255.0 10.0.10.1 10.0.10.2 35
192.168.5.0 255.255.255.0 10.0.10.1 10.0.10.2 35
192.168.6.0 255.255.255.0 10.0.10.1 10.0.10.2 35
192.168.7.0 255.255.255.0 10.0.10.1 10.0.10.2 35
192.168.20.0 255.255.255.0 10.0.10.1 10.0.10.2 35
192.168.30.0 255.255.255.0 10.0.10.1 10.0.10.2 35
192.168.56.0 255.255.255.0 On-link 192.168.56.1 281
192.168.56.1 255.255.255.255 On-link 192.168.56.1 281
192.168.56.255 255.255.255.255 On-link 192.168.56.1 281
192.168.84.0 255.255.255.0 On-link 192.168.84.2 281
192.168.84.2 255.255.255.255 On-link 192.168.84.2 281
192.168.84.255 255.255.255.255 On-link 192.168.84.2 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.56.1 281
224.0.0.0 240.0.0.0 On-link 192.168.84.2 281
224.0.0.0 240.0.0.0 On-link 192.168.3.8 311
224.0.0.0 240.0.0.0 On-link 10.0.10.2 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.56.1 281
255.255.255.255 255.255.255.255 On-link 192.168.84.2 281
255.255.255.255 255.255.255.255 On-link 192.168.3.8 311
255.255.255.255 255.255.255.255 On-link 10.0.10.2 291

Persistent Routes:
None

IPv6 Route Table

Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
6 281 fe80::/64 On-link
26 281 fe80::/64 On-link
9 311 fe80::/64 On-link
23 291 fe80::/64 On-link
9 311 fe80::1e2:f48:2ace:c530/128
On-link
6 281 fe80::60db:46be:e86b:8581/128
On-link
26 281 fe80::7d7a:d293:1452:9ea4/128
On-link
23 291 fe80::cdbd:8d00:5069:500a/128
On-link
1 331 ff00::/8 On-link
6 281 ff00::/8 On-link
26 281 ff00::/8 On-link
9 311 ff00::/8 On-link
23 291 ff00::/8 On-link

Persistent Routes:
None

And here are when I am connected to site A (192.168.20.250)

C:\WINDOWS\system32>route print

Interface List
20...84 7b eb 17 a8 06 ......Realtek PCIe FE Family Controller
6...0a 00 27 00 00 00 ......VirtualBox Host-Only Ethernet Adapter
26...0a 00 27 00 00 00 ......VirtualBox Host-Only Ethernet Adapter #2
22...2c 6e 85 66 1d 91 ......Microsoft Wi-Fi Direct Virtual Adapter
23...00 ff de 33 76 23 ......TAP-Windows Adapter V9
9...2c 6e 85 66 1d 90 ......Intel(R) Dual Band Wireless-AC 3160
5...2c 6e 85 66 1d 94 ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
10...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6

IPv4 Route Table

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.3.8 55
0.0.0.0 128.0.0.0 10.0.9.1 10.0.9.2 35
10.0.9.0 255.255.255.0 On-link 10.0.9.2 291
10.0.9.0 255.255.255.0 10.0.9.1 10.0.9.2 35
10.0.9.2 255.255.255.255 On-link 10.0.9.2 291
10.0.9.255 255.255.255.255 On-link 10.0.9.2 291
10.0.10.0 255.255.255.0 10.0.9.1 10.0.9.2 35
x.x.x.115 255.255.255.255 192.168.2.1 192.168.3.8 55
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
128.0.0.0 128.0.0.0 10.0.9.1 10.0.9.2 35
192.168.0.0 255.255.252.0 On-link 192.168.3.8 311
192.168.3.8 255.255.255.255 On-link 192.168.3.8 311
192.168.3.255 255.255.255.255 On-link 192.168.3.8 311
192.168.4.0 255.255.255.0 10.0.9.1 10.0.9.2 35
192.168.5.0 255.255.255.0 10.0.9.1 10.0.9.2 35
192.168.6.0 255.255.255.0 10.0.9.1 10.0.9.2 35
192.168.7.0 255.255.255.0 10.0.9.1 10.0.9.2 35
192.168.20.0 255.255.255.0 10.0.9.1 10.0.9.2 35
192.168.30.0 255.255.255.0 10.0.9.1 10.0.9.2 35
192.168.40.0 255.255.255.0 10.0.9.1 10.0.9.2 35
192.168.56.0 255.255.255.0 On-link 192.168.56.1 281
192.168.56.1 255.255.255.255 On-link 192.168.56.1 281
192.168.56.255 255.255.255.255 On-link 192.168.56.1 281
192.168.84.0 255.255.255.0 On-link 192.168.84.2 281
192.168.84.2 255.255.255.255 On-link 192.168.84.2 281
192.168.84.255 255.255.255.255 On-link 192.168.84.2 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.56.1 281
224.0.0.0 240.0.0.0 On-link 192.168.84.2 281
224.0.0.0 240.0.0.0 On-link 192.168.3.8 311
224.0.0.0 240.0.0.0 On-link 10.0.9.2 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.56.1 281
255.255.255.255 255.255.255.255 On-link 192.168.84.2 281
255.255.255.255 255.255.255.255 On-link 192.168.3.8 311
255.255.255.255 255.255.255.255 On-link 10.0.9.2 291

Persistent Routes:
None

IPv6 Route Table

Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
6 281 fe80::/64 On-link
26 281 fe80::/64 On-link
9 311 fe80::/64 On-link
23 291 fe80::/64 On-link
9 311 fe80::1e2:f48:2ace:c530/128
On-link
6 281 fe80::60db:46be:e86b:8581/128
On-link
26 281 fe80::7d7a:d293:1452:9ea4/128
On-link
23 291 fe80::cdbd:8d00:5069:500a/128
On-link
1 331 ff00::/8 On-link
6 281 ff00::/8 On-link
26 281 ff00::/8 On-link
9 311 ff00::/8 On-link
23 291 ff00::/8 On-link

Persistent Routes:
None

Hope that helps.

Carlos

viragomann

There is an incorrect route at site A pfSense:


And here are for pfsense A (192.168.20.250)

Destination   Gateway   Flags   Use   Mtu   Netif   Expire
10.0.10.0/24   10.0.9.2   UGS   2994   1500   ovpns2

The tunnel subnet of site Bs clients 10.0.10.0/24 is routed to the site As mobile clients server. Check the config of this server. You should find an entry of 10.0.10.0/24 somewhere, maybe you have a client specific override for this server.

newcmelgar

Hi,
I still have the same results after cleaning up Site A (192.168.20.250). Now I have the following:

Destination Gateway Flags Use Mtu Netif Expire
10.0.8.0/24 10.0.8.1 UGS 0 1500 ovpns1
10.0.8.1 link#7 UHS 0 16384 lo0
10.0.8.2 link#7 UH 0 1500 ovpns1
10.0.9.0/24 10.0.9.1 UGS 0 1500 ovpns2
10.0.9.1 link#8 UHS 0 16384 lo0
10.0.9.2 link#8 UH 2241 1500 ovpns2
…
192.168.20.0/24 link#2 U 1501 1500 em1
192.168.20.250 link#2 UHS 0 16384 lo0
192.168.30.0/24 10.0.8.2 UGS 1054 1500 ovpns1

Now there is no routing for 10.0.10.0/24 on Site A.

On Site B (192.168.30.250), now I have this:

Destination Gateway Flags Use Mtu Netif Expire
10.0.8.0 link#8 UHS 0 16384 lo0
10.0.8.0/24 10.0.8.0 UGS 0 1500 ovpnc1
10.0.8.1 link#8 UH 0 1500 ovpnc1
10.0.9.0/24 10.0.8.1 UGS 590 1500 ovpnc1
10.0.10.0/24 10.0.10.1 UGS 0 1500 ovpns2
10.0.10.1 link#7 UHS 0 16384 lo0
10.0.10.2 link#7 UH 909 1500 ovpns2
...
192.168.20.0/24 10.0.8.1 UGS 476 1500 ovpnc1
192.168.30.0/24 link#2 U 2569 1500 em1
192.168.30.250 link#2 UHS 0 16384 lo0

On Site A (192.168.20.250) I do have a Client Specific Override. Basically the common name, a description, and:

Tunnel: 10.0.8.0/24
Advanced: iroute 192.168.30.0 255.255.255.0

Not sure what to do next?

Carlos

viragomann

Now you are missing the route to 10.0.10.0/24 at site A totally. Go to the site A site-to-site OpenVPN server settings and enter or add 10.0.10.0/24 in the "IPv4 Remote Networks" box.

newcmelgar

I just added the 10.0.10.0/24 at site A (192.168.20.250) in the IPv4 Remote Networks like you said. Site A changed to:

Destination Gateway Flags Use Mtu Netif Expire
10.0.8.0/24 10.0.8.1 UGS 0 1500 ovpns1
10.0.8.1 link#7 UHS 0 16384 lo0
10.0.8.2 link#7 UH 0 1500 ovpns1
10.0.9.0/24 10.0.9.1 UGS 0 1500 ovpns2
10.0.9.1 link#8 UHS 0 16384 lo0
10.0.9.2 link#8 UH 139201 1500 ovpns2
10.0.10.0/24 10.0.8.2 UGS 0 1500 ovpns1
…
192.168.20.0/24 link#2 U 276518 1500 em1
192.168.20.250 link#2 UHS 0 16384 lo0
192.168.30.0/24 10.0.8.2 UGS 706 1500 ovpns1

Site B seems to remain the same:

Destination Gateway Flags Use Mtu Netif Expire
10.0.8.0 link#8 UHS 0 16384 lo0
10.0.8.0/24 10.0.8.0 UGS 0 1500 ovpnc1
10.0.8.1 link#8 UH 0 1500 ovpnc1
10.0.9.0/24 10.0.8.1 UGS 493 1500 ovpnc1
10.0.10.0/24 10.0.10.1 UGS 0 1500 ovpns2
10.0.10.1 link#7 UHS 0 16384 lo0
10.0.10.2 link#7 UH 7764 1500 ovpns2
...
192.168.20.0/24 10.0.8.1 UGS 156 1500 ovpnc1
192.168.30.0/24 link#2 U 52051 1500 em1
192.168.30.250 link#2 UHS 0 16384 lo0

viragomann

The routing tables seem to be well now. Any success?

newcmelgar

Unfortunately no success. I have the same result.

My mobile client at 10.0.10.0/24 will not be able to go to 192.168.20.0/24. Can only go to 192.168.30.0/24 (and IPSec tunnels).

I tried something out as well. I disabled the Ipsec tunnels on Site B (192.168.30.250) but the same result that I cannot go to 192.168.20.0/24

What is funny is that if I RDP to a PC on 192.168.30.0/24, inside that PC, I can connect to all networks. Just the mobile client is the one with the problem.

No clue as to what to try next.

viragomann

Okay, since routes and firewall rules are well, maybe you have miss-configured the VPN interfaces. Have you assigned a particular interface to each OpenVPN instance (each server and client instance)? This is crucial for routing between multiple VPN instances.

If you haven't already, on both sites go to interface > assign, select a VPN instance under "Network port", click Add, then open the new interface and activate it. You can give it a meaningful name. Do this for each OpenVPN instance on both nodes. Now in Firewall > rules the new interfaces are shown as particular tabs and you have to define the needed firewall rules there.

newcmelgar

I can only do this at Site B (192.168.30.250) for the time being as my office is now working. Site A is the main VPN Server that connects to all the other offices so can't be testing configurations. I will try this out in about 14 hours. For the time being, I have a a few question on this.

For Site B (192.168.30.250)

What should I configure on the OPT1 on IPv4 Configuration Type?
Should it be Static IPv4 with IP 10.0.10.250 / 24?? 250 to be consistent with the other Sites.
Should the Gateway be set to None?
What should I configure on the OPT2 on IPv4 Configuration Type?
Should it be Static IPv4 with IP 10.0.8.250 / 24?? 250 to be consistent with the other Sites.
Should the Gateway be set to None?
But if I set OPT2 to 10.0.8.250, what about the other sites? Will it matter to have the same IP at other sites?

None the less, I have just set it up like this in Site B (192.168.30.250). But no success. Again the same result. :(

The routing table is now:

Destination Gateway Flags Use Mtu Netif Expire
10.0.8.0 link#8 UHS 0 16384 lo0
10.0.8.0/24 10.0.8.0 UGS 0 1500 ovpnc1
10.0.8.1 link#8 UH 0 1500 ovpnc1
10.0.9.0/24 10.0.8.1 UGS 0 1500 ovpnc1
10.0.10.0/24 10.0.10.1 UGS 0 1500 ovpns2
10.0.10.1 link#7 UHS 0 16384 lo0
10.0.10.2 link#7 UH 1969 1500 ovpns2
…
192.168.20.0/24 10.0.8.1 UGS 231 1500 ovpnc1
192.168.30.0/24 link#2 U 260449 1500 em1
192.168.30.250 link#2 UHS 0 16384 lo0

So it is back to being the same. I ensured that OPT1, OPT2 and OpenVPN firewall rules are all setup like this:

Protocol Source Port Destination Port Gateway Queue Schedule
IPv4 * * * * * * none

So this is awkward. :o

I am wondering if it will make a difference wen I change Site A as I have just made a bunch of changes in Site B achieving the same result. So I am wondering if I should play around with Firewall Nat Outbound Mappings?? Currently these are set to automatic and have two created:

Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
WAN 127.0.0.0/8 192.168.30.0/24 10.0.10.0/24 10.0.8.0/24 * * 500 WAN address * Auto created rule for ISAKMP
WAN 127.0.0.0/8 192.168.30.0/24 10.0.10.0/24 10.0.8.0/24 * * * WAN address * Auto created rule

viragomann

There are no settings to be made in the interface config. Just activate and save it, no IP config. But it's recommended to give it a more meaningful name as "OPT1".

This gives pfSense the availability to handle the VPN interfaces separately instead as an interface group. This doesn't effect any changes in the routing table.

It's also conceivable to do NAT on an OpenVPN interface at site B, maybe it's easier to solve this issue, but a would prefer the routing method cause its more clean.

For troubleshooting you can use the packet capture tool of pfSense from the Diagnostic menu. Try to access a host in LAN A from a mobile vpn client connected to site B while you do a packet capture at site As LAN interface. If you can see nothing, try the site-to-site VPN interface. Since the routes are well, the packets should arrive there.

newcmelgar

Ok. So I have applied the Interface and Firewall (allow all) settings for both sites A and B. See screenshots attached for the confirmation. Weird how the MAINVPN tunnel is offline at Site A. Not sure if that is normal? But all is working from Site A to it's connections.

On Site B (192.168.30.250), all seems to be ok in regards to all interfaces being online. Again, see screenshot. But now I have a new problem:

From the Mobile connection, I can't go to Site A (192.168.20.250). I can go to all Ipsec sites without an issue and also to 192.168.30.0/24 LAN.
From within the LAN connection, I can go to Site A (192.168.20.250) without an issue and of course also to the LAN 192.168.30.0/24. But I can no longer go to any IPSec Site even though the 20 tunnels are online. So we have gotten this as a new problem

I have rebooted both sites pfsenses to ensure there was nothing weird. I ensured that all routes worked from Site A to all other Sites. So I expect no issues in my working offices. No problem should be reported on Site A. Nevertheless, all here is pfsense with OpenVPN connecting to other OpenVPNs so no issues are happening.

Seems that all the problem is at Site B. :o

I did try the packet capture. But not sure what you want me to report back.

![192.168.20.250 after.png](/public/imported_attachments/1/192.168.20.250 after.png)
![192.168.20.250 after.png_thumb](/public/imported_attachments/1/192.168.20.250 after.png_thumb)
![192.168.30.250 after.png](/public/imported_attachments/1/192.168.30.250 after.png)
![192.168.30.250 after.png_thumb](/public/imported_attachments/1/192.168.30.250 after.png_thumb)

newcmelgar

Anyone has any clue on this?

iorx

Hi!

I hope I got your problem (I'm in a bit of a hurry ;) )
I've got similar setup up with OpenVPN connected sites and users which needed to be routed into a IPSEC subnet.
This is how it was solved.

Setup a gateway on LAN interface which points to the LAN interface IP
Create a route for the IPSEC subnet which point to the LAN gateway
Define all subnets as 2nd phases on the IPSEC connection
Make sure the opposing side of the IPSEC connection allow the incoming subnet you have.

This made it work for me. All OpenVPN road warriors and OpenVPN connected site-to-site are able to get traffic routed through the IPSEC tunnel.

Don't know if there is another way or solved differently on later versions. This config is on pfSense 2.2.4

Brgs,

newcmelgar

Hi iorx,
The OpenVPN road warrior can go to all the LAN where it is connected to as well as all the Ipsec tunnels. Where I have a problem is that the OpenVPN road warrior cannot go to other OpenVPN site-to-sites…

Regards,

Carlos

Client Export to OpenVPN Site to IPSec

C:\WINDOWS\system32>route print

IPv4 Route Table

IPv6 Route Table

C:\WINDOWS\system32>route print

IPv4 Route Table

IPv6 Route Table

Products

Services

Support

News

Resources

Company

Our Mission

Subscribe to our Newsletter