Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] Routing (NAT) OpenVPN traffic to (multiple) IPSec

    Scheduled Pinned Locked Moved IPsec
    4 Posts 1 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • maxxerM
      maxxer
      last edited by

      Hi.

      At my office I have several IPSec VPNs running, and for some of them I'd like to be able to reach the remote endpoint also when connected via OpenVPN.

      I managed to setup such routing for an IPSec endpoint, but I'm unable to replicate the configuration for a second tunnel.

      On the first working tunnel I:

      • added a second Phase2 entry with the OpenVPN subnet, but at NAT/BINAT translation I chose Network and entered the LAN network (10.0.0.0/24)

      • added the route option to the OpenVPN additional config option

      So I did the same for the second tunnel but it won't work. If I traceroute from OpenVPN to the second tunnel's LAN I see packets going to pfSense and next hop is WAN gateway!

      What's wrong?
      Thanks

      screenshot--05.png
      screenshot--05.png_thumb

      1 Reply Last reply Reply Quote 0
      • maxxerM
        maxxer
        last edited by

        An update: I noticed the working tunnel is IKEv1, while the non working one is v2. In /var/etc/ipsec/ipsec.conf for the first tunnel there are two conn, while for the second only one.

        For the v1 I have the first conn withleftsubnet = 10.0.0.0/24and a second one with```
        leftsubnet = 10.0.0.0/24|10.17.17.0/24

        
        For the v2 I just have one _conn_ with```
        leftsubnet = 10.0.0.0/24,10.0.0.0/24|10.17.17.0/24
        

        (being 10.0.0.0 the LAN and 10.17.17.0 the OpenVPN).

        And with```
        ipsec statusall

        
        

        con8000:  79.1.2.3...31.1.1.1  IKEv1, dpddelay=10s
            con8000:  local:  [79.1.2.3] uses pre-shared key authentication
            con8000:  remote: [192.168.5.2] uses pre-shared key authentication
            con8000:  child:  10.0.0.0/24|/0 === 10.55.0.128/25|/0 TUNNEL, dpdaction=restart
            con8001:  child:  10.0.0.0/24|10.17.17.0/24 === 10.55.0.128/25|/0 TUNNEL, dpdaction=restart
                con7:  79.1.2.3...83.1.2.3  IKEv2, dpddelay=10s
                con7:  local:  [79.1.2.3] uses pre-shared key authentication
                con7:  remote: [83.1.2.3] uses pre-shared key authentication
                con7:  child:  10.0.0.0/24|/0 === 192.168.14.0/24|/0 TUNNEL, dpdaction=restart

        
        The second _child_ is missing.
        1 Reply Last reply Reply Quote 0
        • maxxerM
          maxxer
          last edited by

          Opened an issue: https://redmine.pfsense.org/issues/7187

          1 Reply Last reply Reply Quote 0
          • maxxerM
            maxxer
            last edited by

            Solved.

            After some more debugging and digging into pfSense sources I found out that for IKEv2 in some cases the Split connections option in P1 is required.

            After enabling this option I was able to access the tunnel from the OpenVPN subnet!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.