OpenVPN clients accessing IPSEC tunnel to Amazon VPC

jimt97038 · May 10, 2018, 5:19 PM

I've read all the threads about OpenVPN clients accessing networks on IPSEC tunnels and the consensus seems to be you have to add additional phase 2 entries at each end of IPSEC for the OpenVPN network addresses. Is that the only way to do it? I need mobile users on OpenVPN to be able to access our VPC over the IPSEC tunnel but Amazon abstracts the phase 1 and phase 2 setups so much I'm not sure how to set up a second phase 2 over the existing phase 1. To complicate matters, we have a server admin in charge of our Amazon side who thinks having to make a second phase 2 is ridiculous so I have to amass a pile of evidence to prove that's the only way to do it.

This might all be more a question for AWS support, but since I can't get past our company gatekeeper to deal with Amazon I thought you all here might be able to help arm me with info.

Has anyone been successful going OpenVPN–>pfSense-->IPSEC-->AWS??

Thanks for taking the time to read this!

bfeitell · May 10, 2018, 11:26 PM

I would try pushing the route to the IPSec endpoint or network to the OpenVPN clients. In custom options for the OpenVPN server add a statement like:

push "route 192.168.x.y 255.255.255.0";

I have used this to gain access to secondary subnets from an OpenVPN server. I use TAP mode for my road warrior setups in OpenVPN.

bfeitell · May 10, 2018, 11:33 PM

I just tested this, and was able to hop OpenVPN > PFSense1 > IPSec > PFSense2, but I do use TAP mode which makes the firewall rules on the end points a bit simpler.