[SOLVED] Routing (NAT) OpenVPN traffic to (multiple) IPSec

  • Hi.

    At my office I have several IPSec VPNs running, and for some of them I'd like to be able to reach the remote endpoint also when connected via OpenVPN.

    I managed to setup such routing for an IPSec endpoint, but I'm unable to replicate the configuration for a second tunnel.

    On the first working tunnel I:

    • added a second Phase2 entry with the OpenVPN subnet, but at NAT/BINAT translation I chose Network and entered the LAN network (

    • added the route option to the OpenVPN additional config option

    So I did the same for the second tunnel but it won't work. If I traceroute from OpenVPN to the second tunnel's LAN I see packets going to pfSense and next hop is WAN gateway!

    What's wrong?

  • An update: I noticed the working tunnel is IKEv1, while the non working one is v2. In /var/etc/ipsec/ipsec.conf for the first tunnel there are two conn, while for the second only one.

    For the v1 I have the first conn withleftsubnet = a second one with```
    leftsubnet =|

    For the v2 I just have one _conn_ with```
    leftsubnet =,|

    (being the LAN and the OpenVPN).

    And with```
    ipsec statusall


    con8000:  IKEv1, dpddelay=10s
        con8000:  local:  [] uses pre-shared key authentication
        con8000:  remote: [] uses pre-shared key authentication
        con8000:  child:|/0 ===|/0 TUNNEL, dpdaction=restart
        con8001:  child:| ===|/0 TUNNEL, dpdaction=restart
            con7:  IKEv2, dpddelay=10s
            con7:  local:  [] uses pre-shared key authentication
            con7:  remote: [] uses pre-shared key authentication
            con7:  child:|/0 ===|/0 TUNNEL, dpdaction=restart

    The second _child_ is missing.

  • Solved.

    After some more debugging and digging into pfSense sources I found out that for IKEv2 in some cases the Split connections option in P1 is required.

    After enabling this option I was able to access the tunnel from the OpenVPN subnet!

Log in to reply