Site to site config help

xi_Slick_ix

I have looked over / read the following articles prior to setup.

http://blog.stefcho.eu/building-site-to-site-connection-with-openvpn-on-pfsense-2-0-rc1-with-shared-key/

https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site

https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1

Diagram of the network configuration I am trying to achieve.
https://drive.google.com/file/d/0B_2VsUu-M7LFYXFDN1dTNXpQdFE/view

pfSense 2.3.2 used throughout

Mobile Office:
OpenVPN Client (Site to site, peer to peer shared key)
Lan: 192.168.1.0/24
Tunnel Network: 10.0.1.0/30
Remote Network: 10.0.0.0/24
Custom Options: redirect-gateway def1;

Regional Office:
OpenVPN Server - Static IPv4 WAN address
Lan: 10.0.0.0/24
Tunnel Network: 10.0.1.0/30
Remote Network: 192.168.1.0/24

Peer to Peer Shared Key
pfSense acts as the gateway for both LANs shown here.

Problem 1:
The Mobile Office box can successfully connect to the Regional Office over OpenVPN. Workstations behind the Mobile Office's pfSense box can ping the Regional Office's pfSense box at 10.0.0.1, but cannot ping the server (10.0.0.2) shown in the diagram. The Regional pfSense can ping the Mobile pfSense, but the Server (10.0.0.2) cannot ping anything in the Mobile Office. I need the workstations in the mobile office to communicate with the server in the main office. The internet traffic coming out of the mobile office needs to route out through the regional office's gateway, which is working with the redirect-gateway, as referenced above. I have noticed several references to push routes being added to the custom options field, but I wasn't entirely sure I understood them, and not sure they were necessary in this stage.

Problem 2:
A contractor's office also needs access to the server in the diagram. We have established the IPSec gateway referenced in the diagram (Regional as the client, contractor as the server). This successfully connects to the pfSense box in the Regional Office (currently disabled while testing OpenVPN). This page (https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site) specifies that IPSec and OpenVPN cannot both be enabled for the same subnet. I am looking for the most sane method to allow both VPN to operate at the same time, while enabling server access to both remote locations.

Note:
The regional office can most definitely be reconfigured if there is a better method for IP addresses / subnet. Neither the Regional or Mobile offices have many computers connected, and I would prefer both networks end up as /28 rather than /24, but /24 is fine for now for testing. I wasn't entirely sure here either, but it seemed like I might need 1:1 NAT rules in both the Regional and Mobile.

![OpenVPN Gateway & NAT - Rev 2.png](/public/imported_attachments/1/OpenVPN Gateway & NAT - Rev 2.png)
![OpenVPN Gateway & NAT - Rev 2.png_thumb](/public/imported_attachments/1/OpenVPN Gateway & NAT - Rev 2.png_thumb)

viragomann

@xi_Slick_ix:

Problem 1:
The Mobile Office box can successfully connect to the Regional Office over OpenVPN. Workstations behind the Mobile Office's pfSense box can ping the Regional Office's pfSense box at 10.0.0.1, but cannot ping the server (10.0.0.2) shown in the diagram. The Regional pfSense can ping the Mobile pfSense, but the Server (10.0.0.2) cannot ping anything in the Mobile Office.

Seems that the server isn't configured to use the pfSense box as default gateway.

@xi_Slick_ix:

Problem 2:
This page (https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site) specifies that IPSec and OpenVPN cannot both be enabled for the same subnet. I am looking for the most sane method to allow both VPN to operate at the same time, while enabling server access to both remote locations.

So use another subnet for the IPSec tunnel.

Derelict

That document references that OpenVPN and IPsec cannot be in place for the same pair of subnets. You do not have that issue. The pair of subnets in question is apparently, from the perspective of the regional office, IPsec Local: 10.0.0.0/24 Remote 198.X.X.X/X. and for OpenVPN Local: 10.0.0.0/24 and Remote: 192.168.1.0/24.

Nothing you are trying to do is all that difficult. Since you're not trying to get the contractor to be able to access assets at mobile office and vice versa just work on one VPN at a time.

The Mobile Office box can successfully connect to the Regional Office over OpenVPN. Workstations behind the Mobile Office's pfSense box can ping the Regional Office's pfSense box at 10.0.0.1, but cannot ping the server (10.0.0.2) shown in the diagram.

That sounds like either the local firewall on host 10.0.0.2 is disallowing the traffic or, as was stated above, pfSense is not the default gateway for host 10.0.0.2.

You cannot push routes using OpenVPN PSK. Switch to certificate authentication if that is required. Shouldn't be for just one client.

xi_Slick_ix

Thanks guys, it was 100% the firewall on the Windows Server. I adjusted the Echo Request settings on the Windows box, and we are in business (Problem 1 Solved).

Since this post also included questions / concerns about operating two VPN's at the same time (though the question was mostly answered) I might be asking follow up questions in the next day or two, as we will be testing then.

-Specifically, I had to change Local Subnet to Any in this case.

![Regional Office - Data Server - Firewall - Echo Request (Ping).png](/public/imported_attachments/1/Regional Office - Data Server - Firewall - Echo Request (Ping).png)
![Regional Office - Data Server - Firewall - Echo Request (Ping).png_thumb](/public/imported_attachments/1/Regional Office - Data Server - Firewall - Echo Request (Ping).png_thumb)