IPSEC tunnel over OpenVPN

  • Seems like this should be possible, but I can't get it to work. Hoping that someone here might know what I'm missing.

    We have a pfSense box (2.3.2-RELEASE) inside of our network acting as an OpenVPN endpoint for remote users to tunnel into our network. It's configured to use UDP and a TUN device type. The users have split-tunneling enabled so that the only traffic passing over the tunnel is traffic destined for our network. Everything else goes out their Internet connection. I think most of the rest of the setup is fairly standard, and it has worked very well for many years.

    Recently, we partnered with a company that requires a client-server IPSEC tunnel to access their network. The IPSEC server/endpoint on their end requires the traffic to originate from our public IP address in order to bring up the tunnel. I have remote users that need to be able to access their network over that tunnel.

    From the office, we can use various IPSEC clients with success. I currently have a known good configuration using the ShrewSoft VPN client. However, when remote users try to connect using the same config, they get an error message that the "network is unavailable." I've tried several things, including:

    • Adding a static route on the remote machine to route the IPSEC destination endpoint address through the OpenVPN tunnel.

    • When I trace to the public IP address of the remote IPSEC device, I can see the ICMP traffic in a tcpdump listening on the openvpn interface (ovpns1) on the pfSense box.

    • When I try to connect the IPSEC client, I see absolutely no traffic in the trace.

    • Force all network traffic on the client to go over the VPN tunnel.

    • Again, ICMP seems to behave exactly as expected, but when I try to initiate the IPSEC tunnel, I see nothing resembling IPSEC traffic on ovpns1.

    • Add the public IP address of the IPSEC destination endpoint to the OpenVPN config, thus pushing out a route when the client connects.

    No matter what I've tried, it seems that the OpenVPN client on the remote user's machine is not passing IPSEC traffic over the OpenVPN tunnel. Again, I've set up a tcpdump listening for all ports and all protocols on ovpns1 of the pfSense box, but I've never seen anything that makes me think the IPSEC traffic is being routed over the OpenVPN tunnel in any fashion.

    Has anyone made this type of setup work? Is there something obvious I'm missing? I could probably mess around and create a new OpenVPN instance with different settings, for example, setting up a TAP connection, or using TCP instead of UDP. However, there are a lot of configurations, and if someone here knows what I'm missing, you could save me a ton of headache.

    Any input is much appreciated.

Log in to reply