Route traffic from Client VPN Network to Network on other side of Site-to-Site IPSec VPN?
-
I have a site-to-site IPSec VPN connection between my home network and my parents. I also have a client OpenVPN network that I use for my personal devices (laptop, phone, etc.) to connect into my home network. Since I can't create a gateway for my IPSec VPN Network like I can with OpenVPN, how can I route traffic from my client VPN connection to the other side of the Site to Site connection?
Home Network (VPN Server): 10.0.10.0
Parents Network (via IPSec): 192.168.2.0
OpenVPN Client VPN: 172.16.42.0So I'm looking to get from 172.16.42.0 to 192.168.2.0.
-
Add a 2nd phase 2 for the Parents Network and the OpenVPN tunnel network to your IPSec config on both sites.
In the OpenVPN server config add the Parents Network to the "Local Networks" to push the route to the clients.
-
@viragomann said in Route traffic from Client VPN Network to Network on other side of Site-to-Site IPSec VPN?:
Add a 2nd phase 2 for the Parents Network and the OpenVPN tunnel network to your IPSec config on both sites.
In the OpenVPN server config add the Parents Network to the "Local Networks" to push the route to the clients.
Yea I already have that in the OpenVPN config.
As for the 2nd phase 2, I'm a little confused as to how that needs to be set. I added a second phase 2 to both ends as follows but that didn't do the trick. No blocks in the firewall showing up as IPSec is wide open ATM.
Home Router
SPE_LAN_NET = 10.0.10.0
Parents Router
LAN = 192.168.2.0
-
On the home router the local subnet has to be the OpenVPN tunnel network in the second phase 2!
-
@viragomann said in Route traffic from Client VPN Network to Network on other side of Site-to-Site IPSec VPN?:
On the home router the local subnet has to be the OpenVPN tunnel network in the second phase 2!
It is. SPE_VPN_NET is the OpenVPN tunnel network.
-
Yeah. I meant I'd read SPE_LAN_NET in both lines.
@jimphreak said in Route traffic from Client VPN Network to Network on other side of Site-to-Site IPSec VPN?:
SPE_VPN_NET is the OpenVPN tunnel network.
And the tunnel is 172.16.42.0/29?
If so it should work though. Firewall rules permit the access at both sites?
For troubleshooting you can use packet capture to investigate if the packets are routed into the IPSec tunnel and arrive at the remote site and if responses are routed back correctly.
-
@viragomann Yyes, 172.16.42.0/29 is the OpenVPN tunnel network. Firewall interfaces are all set to wide open ATM for testing. I'll do some packet capturing to see what's going on.
-
I'm thinking that I need a static route but since I can't set the IPSec tunnel as an interface and thus gain a gateway I can't do that yet. It looks like that feature is coming in 2.4.4.
-
That shouldn't be necessary since you have only one IPSec connection.
What you're trying to achieve have other guys already accomplished here. So it should also be possible in your setup. -
@viragomann Ok than that is frustrating. Hmmmmm.
-
So try some troubleshooting.
A traceroute from a vpn client.
Packet capture.That should be an easy challenge.
-
@viragomann said in Route traffic from Client VPN Network to Network on other side of Site-to-Site IPSec VPN?:
So try some troubleshooting.
A traceroute from a vpn client.
Packet capture.That should be an easy challenge.
Traceroute is not helpful, everything times out beyond the local router (192.168.1.1) my VPN client is connected to.
As for packet capture, I see nothing at all related to the 192.168.2.x network that I'm trying to access. I have a constant ping going have tried a package capture with every interface.
-
If you ping an IP out of 192.168.2.0/24 from a vpn client you should at least see the ping on the OpenVPN interface on your home router, don't you?
-
@viragomann said in Route traffic from Client VPN Network to Network on other side of Site-to-Site IPSec VPN?:
If you ping an IP out of 192.168.2.0/24 from a vpn client you should at least see the ping on the OpenVPN interface on your home router, don't you?
Nope, not seeing it. I'm ping 192.168.2.55 from 172.16.42.5 and it's not showing up in the packet capture on my home pfSense box. Not making sense.
-
Probably the client is missing the route to 192.168.2.55?
What shows the client routing table?
-
@viragomann said in Route traffic from Client VPN Network to Network on other side of Site-to-Site IPSec VPN?:
Probably the client is missing the route to 192.168.2.55?
What shows the client routing table?
It seems there is no route to 192.168.2.0 in my pfsense routing table but that doesn't make sense because I can clearly get there from 10.0.10.0.
*Blacked out = WAN
-
I was talking about the OpenVPN Client.
-
@viragomann Yea I know. Don't have my laptop ATM to check. Not sure how to view routing tables on Android.
-
Ok, confirmed my Windows client connected to the VPN has no defined router to 192.168.2.0. However, even when I'm connected to my home LAN (10.0.10.0) with the same Windows client, it doesn't have a router to 192.168.2.0 either. Yet it can still get there.
So it almost seems like the second Phase 2 entry isn't active or working. Is there an easy way to confirm the status of the P2 entries?
-
Grrrrrrrrrrrrr.
Found the problem and it was of course my fault. I had a client specific override for my user account (which I knew about but never checked). In there, the 192.168.2.0/24 network was set as a "Remote Network" instead of a "Local Network." Deleted it form remote networks, added it to local networks and now all is working. I didn't realize there was an option for "Remote Networks" as that's not an option for the actual OpenVPN server itself.