Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Allow OpenVPN clients to access remote site connected via IPSec

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 894 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      ravensorb
      last edited by

      I have the following setup

      Site A: 10.0.1.0/24
      Site B: 10.4.1.0/24
      OpenVPN Clients: 172.16.0.0/24

      Site A <– IPSEC --> Site B <-- OpenVPN Clients

      Site A and Site B are connected and traffic works both directions without issues
      OpenVPN Clients can access Site B without any issues at all

      The problem is -- OpenVPN Clients can NOT access Site A at all.

      From a rules perspective, right now I have things wide open

      • OpenVPN - allow all (standard wizard rule)
      • IPSec - allow all (standard wizard rule)

      Some notes

      • I have checked the LAN rules and I do not see anything preventing the traffic
      • I currentl allow OpenVPN clients to see each other

      My thought is -- first get OpenVPN working the way I want and then I'll start locking down.  So the question is, why can't the OpenVPN clients see Site A.

      Anyone have any suggestions for me to dig into?

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        You have to configure the vpn routing. That's not done by itself.

        Add a second phase 2 for the OpenVPN tunnel network to the IPSec configuration, on site B enter the site A's LAN into the remote network box and the OpenVPN tunnel network into the local network box. On site A set the networks reverse.

        In the OpenVPN access server settings, if you haven't activated "Redirect gateway", add the site A's LAN network to the local networks.

        Now the routes should work.

        1 Reply Last reply Reply Quote 0
        • R
          ravensorb
          last edited by

          I just tried that and it doesn't seem to help – that said, I might be missing a step.

          Here is my phase 2 config for the IPSec - is this what you were suggesting?

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            Yes, that's the phase 2 on B site.
            You also have to add a second P2 for the OpenVPN tunnel network to the A site and add A sites LAN network to the  local networks in the OpenVPN servers settings.

            1 Reply Last reply Reply Quote 0
            • R
              ravensorb
              last edited by

              Found it!  I a Zxyel Zywall 110 and I forgot that I needed to add a dedicated routing setup after setting up the new IPSec connection.

              Thanks!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.