Problem with vpn on OpenVPN

garona

Hello everyone, I have a problem in a VPN configured in open VPN, this VPN needs to access the hosts of a network that is connected in my pfsense via IPSec tunnel, I did some testing forcing the route adding the push command on the server of OpenVPN , but I did not succeed, I created a static route forcing the output by the gateway of the virtual network that is closing and I could not also.
My only problem is to make the OpenVPN network see the network hosts that are in the IPSec tunnel, does anyone know how to do that?
Thank you.

JKnott

Why are you using both IPSec and OpenVPN? Pick one or the other.

garona

Hi @JKnott. IPsec is to close the connection with our firewall, openvpn because the other side isn't managed by us. Can i make this kind of connection possible or only i can choose one of this kinds of VPN?

JKnott

You should be able to do it, as a VPN is simply another IP path. We'll need a bit more info about your configuration though.

Konstanti

@garona Hey
Do you have access to both routers with IPSEC tunnel ?
If so, you can try to solve your problem
What is the address of the network behind the OPENVPN tunnel ?
what is the address of the network that is behind the IPSEC tunnel ?

The solution is to create an additional phase 2 ipsec tunnel specifying the openvpn networks and the network behind the ipsec tunnel as the source and destination. And on the reverse side of the tunnel settings should be mirrored

There are other solutions to this problem . But for this we need to see a diagram of your network and you have to understand that you can change in this scheme

Can you show the IPSec tunnel phase 2 settings ?

garona

Hi @Konstanti Yes, i have access to both routers.
100.100.100.0/24 is the network behind openvpn tunnel.
172.72.70.0/24 is the network behind ipsec.
I will create the other phase 2, but i want to know what is the other possibilities to solve this problem.
Actually we have the ipsec vpn between a pfsense and a cisco router, and this tunnel is acessible, i can ping ips of the network on pfsense, i can't only reach on openvpn tunnel, i tried use command push "route" on openvpn but i don't have success.
Is a route problem, right?

Konstanti

@garona said in Problem with vpn on OpenVPN:
Ipsec in its pure form does not know how to route traffic.
Thus, it can only transfer traffic between networks from phase 2.
Nothing else.
the command "push route" here is absolutely useless

garona

@konstanti ok, thanks for fast reply, the only solution is the phase 2 between the openvpn and remote network(172.72.70.x), right?

Konstanti

@garona Yes
Need to test this theory
As far as I understand , from cisco it is necessary to change acl

Konstanti

@garona
and on the pfsense side, we need to add another phase 2

garona

Ok, i'll test this and tell you what happened later.
Thanks for the help.

Konstanti

@konstanti
Ok
For example
cisco side
access-list 100 permit ip 172.70.70.0 0.0.0.255 100.100.100.0 0.0.0.255
pfsense side

Forgotten
The network behind openvpn can be different if you use NAT .
About this we must remember
I gave an example , assuming that NAT is not being used