Problem with vpn on OpenVPN



  • Hello everyone, I have a problem in a VPN configured in open VPN, this VPN needs to access the hosts of a network that is connected in my pfsense via IPSec tunnel, I did some testing forcing the route adding the push command on the server of OpenVPN , but I did not succeed, I created a static route forcing the output by the gateway of the virtual network that is closing and I could not also.
    My only problem is to make the OpenVPN network see the network hosts that are in the IPSec tunnel, does anyone know how to do that?
    Thank you.



  • Why are you using both IPSec and OpenVPN? Pick one or the other.



  • Hi @JKnott. IPsec is to close the connection with our firewall, openvpn because the other side isn't managed by us. Can i make this kind of connection possible or only i can choose one of this kinds of VPN?



  • You should be able to do it, as a VPN is simply another IP path. We'll need a bit more info about your configuration though.



  • @garona Hey
    Do you have access to both routers with IPSEC tunnel ?
    If so, you can try to solve your problem
    What is the address of the network behind the OPENVPN tunnel ?
    what is the address of the network that is behind the IPSEC tunnel ?

    The solution is to create an additional phase 2 ipsec tunnel specifying the openvpn networks and the network behind the ipsec tunnel as the source and destination. And on the reverse side of the tunnel settings should be mirrored

    There are other solutions to this problem . But for this we need to see a diagram of your network and you have to understand that you can change in this scheme

    Can you show the IPSec tunnel phase 2 settings ?



  • Hi @Konstanti Yes, i have access to both routers.
    100.100.100.0/24 is the network behind openvpn tunnel.
    172.72.70.0/24 is the network behind ipsec.
    I will create the other phase 2, but i want to know what is the other possibilities to solve this problem.
    Actually we have the ipsec vpn between a pfsense and a cisco router, and this tunnel is acessible, i can ping ips of the network on pfsense, i can't only reach on openvpn tunnel, i tried use command push "route" on openvpn but i don't have success.
    Is a route problem, right?



  • @garona said in Problem with vpn on OpenVPN:
    Ipsec in its pure form does not know how to route traffic.
    Thus, it can only transfer traffic between networks from phase 2.
    Nothing else.
    the command "push route" here is absolutely useless



  • @konstanti ok, thanks for fast reply, the only solution is the phase 2 between the openvpn and remote network(172.72.70.x), right?



  • @garona Yes
    Need to test this theory
    As far as I understand , from cisco it is necessary to change acl



  • @garona
    and on the pfsense side, we need to add another phase 2



  • Ok, i'll test this and tell you what happened later.
    Thanks for the help.



  • @konstanti
    Ok
    For example
    cisco side
    access-list 100 permit ip 172.70.70.0 0.0.0.255 100.100.100.0 0.0.0.255
    pfsense side
    0_1546541458002_4e868b7e-4cfb-4231-8d39-2bc43d3da4b4-image.png

    Forgotten
    The network behind openvpn can be different if you use NAT .
    About this we must remember
    I gave an example , assuming that NAT is not being used