Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem with vpn on OpenVPN

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      garona
      last edited by

      Hello everyone, I have a problem in a VPN configured in open VPN, this VPN needs to access the hosts of a network that is connected in my pfsense via IPSec tunnel, I did some testing forcing the route adding the push command on the server of OpenVPN , but I did not succeed, I created a static route forcing the output by the gateway of the virtual network that is closing and I could not also.
      My only problem is to make the OpenVPN network see the network hosts that are in the IPSec tunnel, does anyone know how to do that?
      Thank you.

      K 1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott
        last edited by

        Why are you using both IPSec and OpenVPN? Pick one or the other.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • G
          garona
          last edited by

          Hi @JKnott. IPsec is to close the connection with our firewall, openvpn because the other side isn't managed by us. Can i make this kind of connection possible or only i can choose one of this kinds of VPN?

          1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott
            last edited by

            You should be able to do it, as a VPN is simply another IP path. We'll need a bit more info about your configuration though.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • K
              Konstanti @garona
              last edited by Konstanti

              @garona Hey
              Do you have access to both routers with IPSEC tunnel ?
              If so, you can try to solve your problem
              What is the address of the network behind the OPENVPN tunnel ?
              what is the address of the network that is behind the IPSEC tunnel ?

              The solution is to create an additional phase 2 ipsec tunnel specifying the openvpn networks and the network behind the ipsec tunnel as the source and destination. And on the reverse side of the tunnel settings should be mirrored

              There are other solutions to this problem . But for this we need to see a diagram of your network and you have to understand that you can change in this scheme

              Can you show the IPSec tunnel phase 2 settings ?

              1 Reply Last reply Reply Quote 0
              • G
                garona
                last edited by

                Hi @Konstanti Yes, i have access to both routers.
                100.100.100.0/24 is the network behind openvpn tunnel.
                172.72.70.0/24 is the network behind ipsec.
                I will create the other phase 2, but i want to know what is the other possibilities to solve this problem.
                Actually we have the ipsec vpn between a pfsense and a cisco router, and this tunnel is acessible, i can ping ips of the network on pfsense, i can't only reach on openvpn tunnel, i tried use command push "route" on openvpn but i don't have success.
                Is a route problem, right?

                K 1 Reply Last reply Reply Quote 0
                • K
                  Konstanti @garona
                  last edited by Konstanti

                  @garona said in Problem with vpn on OpenVPN:
                  Ipsec in its pure form does not know how to route traffic.
                  Thus, it can only transfer traffic between networks from phase 2.
                  Nothing else.
                  the command "push route" here is absolutely useless

                  G 1 Reply Last reply Reply Quote 1
                  • G
                    garona @Konstanti
                    last edited by garona

                    @konstanti ok, thanks for fast reply, the only solution is the phase 2 between the openvpn and remote network(172.72.70.x), right?

                    K 2 Replies Last reply Reply Quote 0
                    • K
                      Konstanti @garona
                      last edited by Konstanti

                      @garona Yes
                      Need to test this theory
                      As far as I understand , from cisco it is necessary to change acl

                      1 Reply Last reply Reply Quote 1
                      • K
                        Konstanti @garona
                        last edited by

                        @garona
                        and on the pfsense side, we need to add another phase 2

                        G K 2 Replies Last reply Reply Quote 1
                        • G
                          garona @Konstanti
                          last edited by

                          Ok, i'll test this and tell you what happened later.
                          Thanks for the help.

                          1 Reply Last reply Reply Quote 0
                          • K
                            Konstanti @Konstanti
                            last edited by Konstanti

                            @konstanti
                            Ok
                            For example
                            cisco side
                            access-list 100 permit ip 172.70.70.0 0.0.0.255 100.100.100.0 0.0.0.255
                            pfsense side
                            0_1546541458002_4e868b7e-4cfb-4231-8d39-2bc43d3da4b4-image.png

                            Forgotten
                            The network behind openvpn can be different if you use NAT .
                            About this we must remember
                            I gave an example , assuming that NAT is not being used

                            1 Reply Last reply Reply Quote 1
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.