OpenVPN client should use IPSEC tunnel



  • pfsense 2.3.2p1, two IPSEC site-to-site tunnels which allow the LAN subnet to access remote servers.

    Now I have added an OpenVPN server and a remote warrior, this one comes into the system within the OpenVPN subnet which is different from the LAN subnet.
    How can I enable the ovpn client to use the IPSEC tunnels? I tried adding the remote subnet to the config of the ovpn-server and/or push routes, without success.

    Do I have to rewrite (NAT?) the client's IP to an IP within the LAN subnet?
    thanks for any pointers!


  • Rebel Alliance Developer Netgate

    You have to push routes to the client and you also need a matching Phase 2 on the IPsec tunnel for traffic from the OpenVPN client side to the remote IPsec network.

    Trying to play tricks with NAT is more likely to bring pain than help, add a P2 and don't use NAT and you'll be much better off.



  • Adding a P2 would mean that also the remote IPSEC-gateway would have to add that P2, correct?
    This isn't so easy as they aren't too cooperative and rather restrictive.


  • Rebel Alliance Developer Netgate

    Yes, a P2 would have to be added on both sides.



  • Thanks a lot.