OpenVPN roaming users can't access devices over IPSec Site to Site
-
Hello,
I have an issue with one of my sites. Users connected to a roaming OpenVPN cannot access resources over a site to site connection. I'll do my best to explain:
Above is a basic layout of my network.
On router A I have added Router B's network to the list of IPv4 Local Networks in the OpenVPN settings.
On router B I have added the OpenVPN tunnel network to the phase 2 entries in IPSec.
Both of my rules for the OpenVPN and IPSec interfaces allow all traffic to pass.
With that configured I can ping Server B from Server A and vice versa.
I can ping Server A from Client A but cannot ping Client A's address from Server A.
I cannot ping Server B from Client A.When trying to ping Server B from Client A I can see in the states table (on Router A) that there are packets being sent but none received. There's nothing in the firewall log indicating that the packets have been blocked.
On Router B I cannot see anything in the states tables or the firewall log coming from either the Public IP of Router A or the OpenVPN tunnel.
Any help with this would be greatly appreciated!
-
What do your IPsec P2 entries look like? And the routes you push to the OpenVPN clients?
In the OpenVPN server you should have
10.10.16.0/24
listed in the Local IPv4 Networks box, in addition to10.10.8.0/21
, so the entry would look like:10.10.8.0/21,10.10.16.0/24
.Your IPsec P2 entries would need to account for the pairing of
10.10.255.0/24
<->10.10.16.0/24
on both sides (e.g. at A, a P2 for10.10.255.0/24
->10.10.16.0/24
, at B a P2 for10.10.16.0/24
-> `10.10.255.0/24``), plus firewall rules on IPsec to allow to/from the OpenVPN subnet as needed. -
@jimp It was my phase 2 enteries that were messed up! Thanks for the help all is working now.