OpenVPN clients accessing IPSEC tunnel to Amazon VPC
I've read all the threads about OpenVPN clients accessing networks on IPSEC tunnels and the consensus seems to be you have to add additional phase 2 entries at each end of IPSEC for the OpenVPN network addresses. Is that the only way to do it? I need mobile users on OpenVPN to be able to access our VPC over the IPSEC tunnel but Amazon abstracts the phase 1 and phase 2 setups so much I'm not sure how to set up a second phase 2 over the existing phase 1. To complicate matters, we have a server admin in charge of our Amazon side who thinks having to make a second phase 2 is ridiculous so I have to amass a pile of evidence to prove that's the only way to do it.
This might all be more a question for AWS support, but since I can't get past our company gatekeeper to deal with Amazon I thought you all here might be able to help arm me with info.
Has anyone been successful going OpenVPN–>pfSense-->IPSEC-->AWS??
Thanks for taking the time to read this!
I would try pushing the route to the IPSec endpoint or network to the OpenVPN clients. In custom options for the OpenVPN server add a statement like:
push "route 192.168.x.y 255.255.255.0";
I have used this to gain access to secondary subnets from an OpenVPN server. I use TAP mode for my road warrior setups in OpenVPN.
I just tested this, and was able to hop OpenVPN > PFSense1 > IPSec > PFSense2, but I do use TAP mode which makes the firewall rules on the end points a bit simpler.