Can't access IPsec Site-to-Site Subnet from OpenVPN Subnet



  • Hello everyone,

    i have an issue with accessing my IPsec Site-to-Site Subnet from the OpenVPN Subnet.

    I have a regular Subnet 192.168.2.0 which i use in my LAN. I am also using an IPsec Site-to-Site Connection to another, remote Subnet 192.168.20.0.
    Those two can communicate without any issue.

    However i also have an OpenVPN Sever running which has the Subnet 10.0.8.0 and is only able to access the subnet 192.168.2.0 but not the IPsec Site-to-Site Subnet 192.168.20.0.

    The OpenVPN Server is set to push Routes to both Subnets but as i said only one i accessible from the OpenVPN Subnet.

    Any ideas on where to look to resolve this issue?
    Thank you in advance for your input.



  • Check your routing on each box. Diagnostics/Routes

    If OpenVPN has pushed all the correct routes (because you specified them correctly in the openvpn server/client), they will be in routing table.

    Check firewall rules on OpenVPN interface, to check you're allowing traffic.

    If your IPSec and OpenVPN endpoints are on seperate boxes (you don't say in your question), on the common network, you'll need static routes on each box  System / Routing / Static Routes

    Use mtr on a workstation to traceroute between network points, to see how far your packets get.



  • The IPsec and the OpenVPN endpoint are on the same pfsense Router. That pfsense Router in turn is connected via OpenVPN to another VPN Server.

    I have checked the Routing table but it strangely does not mention the 192.168.20.0/24 subnet anywhere.

    A traceroute from 192.168.2.0 to 192.168.20.0 goes all the way through, also vice versa.

    A traceroute from clients in the 10.0.8.0 subnet however only reaches 10.0.8.1 and after that hits the gateway of the OpenVPN Server the pfsense Box is connected to. After that obviosly no responses anymore.

    I have tinkered with NAT a bit yesterday and got it to work very briefly. When i woke up this morning it had stopped working.
    I am really at a loss here.



  • So if your routing table doesn't mention 20.0, then it really truly doesn't know how to get to it, and will send that traffic to default gateway.

    The openvpn server may very well push the route to 20.0 to the remote clients.  The clients will contact the specified gateway.

    However that doesn't mean the gateway (ie probably your pf box with the missing route), knows how to get to 20.0

    Add a System / routing / static route if needed.