Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec mobile clients connecting to OpenVPN site-to-site VPN

    Scheduled Pinned Locked Moved OpenVPN
    19 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      morgejgmail
      last edited by

      All,

      I setup my HQ pfsense box to allow mobile clients to connect via IPSec using the instructions at https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html

      I then setup an OpenVPN site-to-site connection from the HQ location to my secondary location (also running pfsense) using the instructions at https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-shared-key.html along with a little bit of additional configuration I found on YouTube.

      The OpenVPN site-to-site works perfectly for anyone from the HQ or secondary location to be able to connect to network resources on either end.

      FWIW, I have the following configuration:

      • HQ network: 192.168.1.0/24
      • HQ IPSec network: 192.168.32.0/24
      • Secondary location network: 192.168.20.0/24
      • IPv4 Tunnel network: 10.3.100.0/30

      My issue is that when I am connected from a mobile client via IPSec to HQ , I can not access the network resources in the secondary location (across the OpenVPN from the HQ location). i.e., when connected on the IP Sec network with a 192.168.32.0/24 address, I can access anything on the 192.168.1.0/24 network but can not access anything on the 192.168.20.0/24 network.

      I believe that this is a routing problem, but I am unsure what and where to apply a fix to the routing.

      Any help would be greatly appreciated.

      Thanks.

      James

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by

        mmh make sure that you have added the proper static routes
        did you try any tracer / traceroute ?

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        M 1 Reply Last reply Reply Quote 0
        • M
          morgejgmail @kiokoman
          last edited by

          @kiokoman What static routes do you suggest that I add? Thanks!

          1 Reply Last reply Reply Quote 0
          • kiokomanK
            kiokoman LAYER 8
            last edited by kiokoman

            ip route {destination network address} {mask} {next hop address or exit interface}
            so it should be
            ip route 192.168.20.0 255.255.255.0 10.3.100.1

            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
            Please do not use chat/PM to ask for help
            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

            M 1 Reply Last reply Reply Quote 0
            • M
              morgejgmail @kiokoman
              last edited by

              @kiokoman apologies for being a bit of a noob -- where does this get route get applied? HQ or secondary site pfsense? where in pfsense?

              Thanks so much for the help

              1 Reply Last reply Reply Quote 0
              • kiokomanK
                kiokoman LAYER 8
                last edited by kiokoman

                let me summerize because english is not my first language,
                HQ to 192.168.20.0/24 work
                ipsec to 192.168.20.0/24 does not work
                HQ to 192.168.20.0/24 when ipsec is connected does not work
                correct?
                can you post a sceenshot of phase 2?
                did you try to add a second phase 2 with the 192.168.20.0/24 ?

                ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                Please do not use chat/PM to ask for help
                we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                M 1 Reply Last reply Reply Quote 0
                • M
                  morgejgmail @kiokoman
                  last edited by

                  @kiokoman said in IPSec mobile clients connecting to OpenVPN site-to-site VPN:

                  let me summerize because english is not my first language,
                  HQ to 192.168.20.0/24 work
                  ipsec to 192.168.20.0/24 does not work
                  HQ to 192.168.20.0/24 when ipsec is connected does not work
                  correct?

                  HQ (192.168.1.0) to Second Site (192.168.20.0/24) work
                  Second Site (192.168.20.0/24) to HQ (192.168.1.0/24) work
                  Mobile (192.168.32.0/24) to HQ (192.168.1.0/24) work
                  Mobile (192.168.32.0/24) to Secondary (192.168.32.0/24) not work

                  HQ and Secondary are connected via an OpenVPN site-to-site.
                  Mobile is connected via IPSec and Mobile only connects to HQ

                  My IPSec P2 for the mobile connections:
                  f15cdde9-4cc3-4e7f-b40f-b790c011cbde-image.png

                  1 Reply Last reply Reply Quote 0
                  • kiokomanK
                    kiokoman LAYER 8
                    last edited by

                    i think that you need to add a second phase2 with the network you want to reach

                    ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                    Please do not use chat/PM to ask for help
                    we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                    Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                    M 1 Reply Last reply Reply Quote 0
                    • M
                      morgejgmail @kiokoman
                      last edited by

                      @kiokoman said in IPSec mobile clients connecting to OpenVPN site-to-site VPN:

                      i think that you need to add a second phase2 with the network you want to reach

                      Okay, here is what I tried to add but am still not able to connect from the mobile IPSec client via HQ to the secondary network:

                      f38038cb-0f3c-46e1-9499-9edb2a18a4a0-image.png

                      Thanks again for the help.

                      1 Reply Last reply Reply Quote 0
                      • kiokomanK
                        kiokoman LAYER 8
                        last edited by

                        it's the tunnel 10.3.100.0/30 that connect you to 192.168.20.0/24

                        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                        Please do not use chat/PM to ask for help
                        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                        M 1 Reply Last reply Reply Quote 0
                        • M
                          morgejgmail @kiokoman
                          last edited by

                          @kiokoman said in IPSec mobile clients connecting to OpenVPN site-to-site VPN:

                          10.3.100.0/30

                          I tried this but it did not work - thoughts? thanks again

                          e5e23f00-bc61-452b-b227-fe7053dafad6-image.png

                          1 Reply Last reply Reply Quote 0
                          • kiokomanK
                            kiokoman LAYER 8
                            last edited by kiokoman

                            are you adding or modifying the phase ? did you also check the firewall rules ?

                            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                            Please do not use chat/PM to ask for help
                            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                            M 1 Reply Last reply Reply Quote 0
                            • M
                              morgejgmail @kiokoman
                              last edited by

                              @kiokoman said in IPSec mobile clients connecting to OpenVPN site-to-site VPN:

                              are you adding or modifying the phase ? did you also check the firewall rules ?

                              Adding a second P2

                              I have all the ipsec and openvpn firewall rules set to allow all - is there something specific I should be checking?

                              1 Reply Last reply Reply Quote 0
                              • kiokomanK
                                kiokoman LAYER 8
                                last edited by kiokoman

                                ok i reproduced it on my lab and it's working now
                                on my lab i have ipsec to -> openvpn client to -> openvpn server
                                ipsec is 192.168.130.0/24
                                lan is 192.168.120/24
                                openvpn tunnel 10.3.100.0/30
                                openvpn server 10.3.100.0/30
                                remote lan 192.168.3.0/24

                                ipsec:
                                ipsec.jpg

                                client vpn:
                                vpnclient.jpg

                                server vpn:

                                vpn-server.jpg

                                be sure that ipv4 remote network on the openvpn server have the network of your ipsec defined

                                ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                                Please do not use chat/PM to ask for help
                                we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                                Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                                M 1 Reply Last reply Reply Quote 1
                                • M
                                  morgejgmail @kiokoman
                                  last edited by

                                  @kiokoman said in IPSec mobile clients connecting to OpenVPN site-to-site VPN:

                                  idk i have reproduced this on my lab and i have the same problem. i'm still checking this

                                  Thanks so much for the help!

                                  One thing I thought of this morning is that the P2 rule I created was listed second - the first P2 was to route everything (0.0.0.0) and the second P2 was to route to the OpenVPN tunnel address. I will try reversing this order when I get a chance this morning to see if that helps.

                                  Any advice you can offer would be greatly appreciated. Thanks again

                                  1 Reply Last reply Reply Quote 0
                                  • kiokomanK
                                    kiokoman LAYER 8
                                    last edited by

                                    i have modified my previus answer check that

                                    ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                                    Please do not use chat/PM to ask for help
                                    we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                                    Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      morgejgmail
                                      last edited by

                                      That fixed it!

                                      FWIW, I had to make the change in the client OpenVPN configuration to allow the IPSec IP range because in my configuration the IPSec connection is to the OpenVPN server.

                                      Thanks again...please let me know if I can send you a cup of coffee for your help!

                                      1 Reply Last reply Reply Quote 0
                                      • kiokomanK
                                        kiokoman LAYER 8
                                        last edited by

                                        just press "thumb up" on the answer, the coffee would become cold :)

                                        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                                        Please do not use chat/PM to ask for help
                                        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                                        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                                        M 1 Reply Last reply Reply Quote 0
                                        • M
                                          morgejgmail @kiokoman
                                          last edited by

                                          @kiokoman said in IPSec mobile clients connecting to OpenVPN site-to-site VPN:

                                          just press "thumb up" on the answer, the coffee would become cold :)

                                          Thumb up applied.

                                          Thanks again!

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.