4. SNAT From OpenVPN user to a IPSec tunnel possible?

SNAT From OpenVPN user to a IPSec tunnel possible?

  • J

    Hello,
    First topic here, hope I am following the rules.

    I have a 2.4.4-p2 PFSense Box with a OpenVPN server and some IPSec tunnels configured.
    My LAN subnet is 10.25.16.0/21 and my OpenVPN client subnet is 10.25.26.0/23 (large subnets, I know :S )

    I have an IPSec tunnel that has my LAN subnet (10.25.16.0/21) on a single Phase2 and now I need that my OpenVPN clients (10.25.26.0/23) access the remote subnet of this tunnel (10.80.242.0/24)
    I have to access the remote subnet but the remote subnet doesn't need to access my sides. So the VPN tunnel just need to be one way.

    The question is, can I do this without adding a new Phase 2 to the VPN?
    I would think that a SNAT from my OpenVPN LAN to route that subnet trough the tunnel would be somewhat possible. Am I thinking this wrong?

    Thank you for your time!

    Best regards,
    John

    0
    K
     1 Reply
  • K

    @johnpulse

    Try so
    https://forum.netgate.com/topic/140435/can-a-remote-vpn-user-client-access-other-vpn-ipsec-site-to-site/3

    0_1550232192417_10e60e6e-fbc1-4311-acae-57ba43fe6adc-image.png

    0
  • J

    Thank you so much for your quick answer.

    However on your example config I'm able to reach the remote subnet but only if I am on the OpenVPN subnet. LAN clients can't reach it.
    I tried swapping the subnets between "Local Network" and "NAT/BINAT translation" and it seems that the clients connected under the "NAT/BINAT translation" can't reach the other end.

    For confirmation, the Firewall Rules created to allow this traffic are accusing hits, so I guess it's a routing issue.

    0
    K
     2 Replies
  • K

    @johnpulse
    Try adding this as a second phase 2 on the pfsense side.
    See link ( post 3)

    0
  • K

    @johnpulse
    Here are my test settings
    Lan 10.10.25.0 - lan with binat
    binat on enc0 from 10.10.25.0/24 to 192.168.15.0/24 -> 10.0.3.0/24
    0_1550254865066_c6a69803-beb5-4b9c-afa9-2120f400a4b2-image.png

    Second side

    0_1550254915420_8ab4cce7-d6fa-4c91-9ae1-3f55052f7a70-image.png

    Connection status

    0_1550255028954_ac858d92-5d02-47a9-80ad-eaa5b7c39bd8-image.png

    1
  • J

    I have to admit, when I saw your post I thought that having a different number of Phase 2's on both sides would never work!

    However, it worked perfectly! I can now reach the other side from both my LAN subnet and my OpenVPN subnet.
    I cannot thank you enough, it was stupid of me trying to crack this one up for so long (weeks literally) when it was so fast to get awesome help here.

    Hope you have a perfect weekend. Thank you so much for giving me your time and even by trying the setup on your LAB.

    Regards,
    John

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy