Allow OpenVPN clients to access remote site connected via IPSec



  • I have the following setup

    Site A: 10.0.1.0/24
    Site B: 10.4.1.0/24
    OpenVPN Clients: 172.16.0.0/24

    Site A <– IPSEC --> Site B <-- OpenVPN Clients

    Site A and Site B are connected and traffic works both directions without issues
    OpenVPN Clients can access Site B without any issues at all

    The problem is -- OpenVPN Clients can NOT access Site A at all.

    From a rules perspective, right now I have things wide open

    • OpenVPN - allow all (standard wizard rule)
    • IPSec - allow all (standard wizard rule)

    Some notes

    • I have checked the LAN rules and I do not see anything preventing the traffic
    • I currentl allow OpenVPN clients to see each other

    My thought is -- first get OpenVPN working the way I want and then I'll start locking down.  So the question is, why can't the OpenVPN clients see Site A.

    Anyone have any suggestions for me to dig into?



  • You have to configure the vpn routing. That's not done by itself.

    Add a second phase 2 for the OpenVPN tunnel network to the IPSec configuration, on site B enter the site A's LAN into the remote network box and the OpenVPN tunnel network into the local network box. On site A set the networks reverse.

    In the OpenVPN access server settings, if you haven't activated "Redirect gateway", add the site A's LAN network to the local networks.

    Now the routes should work.



  • I just tried that and it doesn't seem to help – that said, I might be missing a step.

    Here is my phase 2 config for the IPSec - is this what you were suggesting?



  • Yes, that's the phase 2 on B site.
    You also have to add a second P2 for the OpenVPN tunnel network to the A site and add A sites LAN network to the  local networks in the OpenVPN servers settings.



  • Found it!  I a Zxyel Zywall 110 and I forgot that I needed to add a dedicated routing setup after setting up the new IPSec connection.

    Thanks!


Log in to reply