IPSec mobile clients connecting to OpenVPN site-to-site VPN
-
All,
I setup my HQ pfsense box to allow mobile clients to connect via IPSec using the instructions at https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html
I then setup an OpenVPN site-to-site connection from the HQ location to my secondary location (also running pfsense) using the instructions at https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-shared-key.html along with a little bit of additional configuration I found on YouTube.
The OpenVPN site-to-site works perfectly for anyone from the HQ or secondary location to be able to connect to network resources on either end.
FWIW, I have the following configuration:
- HQ network: 192.168.1.0/24
- HQ IPSec network: 192.168.32.0/24
- Secondary location network: 192.168.20.0/24
- IPv4 Tunnel network: 10.3.100.0/30
My issue is that when I am connected from a mobile client via IPSec to HQ , I can not access the network resources in the secondary location (across the OpenVPN from the HQ location). i.e., when connected on the IP Sec network with a 192.168.32.0/24 address, I can access anything on the 192.168.1.0/24 network but can not access anything on the 192.168.20.0/24 network.
I believe that this is a routing problem, but I am unsure what and where to apply a fix to the routing.
Any help would be greatly appreciated.
Thanks.
James
-
mmh make sure that you have added the proper static routes
did you try any tracer / traceroute ?
-
@kiokoman What static routes do you suggest that I add? Thanks!
-
ip route {destination network address} {mask} {next hop address or exit interface}
so it should be
ip route 192.168.20.0 255.255.255.0 10.3.100.1
-
@kiokoman apologies for being a bit of a noob -- where does this get route get applied? HQ or secondary site pfsense? where in pfsense?
Thanks so much for the help
-
let me summerize because english is not my first language,
HQ to 192.168.20.0/24 work
ipsec to 192.168.20.0/24 does not work
HQ to 192.168.20.0/24 when ipsec is connected does not work
correct?
can you post a sceenshot of phase 2?
did you try to add a second phase 2 with the 192.168.20.0/24 ?
-
@kiokoman said in IPSec mobile clients connecting to OpenVPN site-to-site VPN:
let me summerize because english is not my first language,
HQ to 192.168.20.0/24 work
ipsec to 192.168.20.0/24 does not work
HQ to 192.168.20.0/24 when ipsec is connected does not work
correct?HQ (192.168.1.0) to Second Site (192.168.20.0/24) work
Second Site (192.168.20.0/24) to HQ (192.168.1.0/24) work
Mobile (192.168.32.0/24) to HQ (192.168.1.0/24) work
Mobile (192.168.32.0/24) to Secondary (192.168.32.0/24) not workHQ and Secondary are connected via an OpenVPN site-to-site.
Mobile is connected via IPSec and Mobile only connects to HQMy IPSec P2 for the mobile connections:
-
i think that you need to add a second phase2 with the network you want to reach
-
@kiokoman said in IPSec mobile clients connecting to OpenVPN site-to-site VPN:
i think that you need to add a second phase2 with the network you want to reach
Okay, here is what I tried to add but am still not able to connect from the mobile IPSec client via HQ to the secondary network:
Thanks again for the help.
-
it's the tunnel 10.3.100.0/30 that connect you to 192.168.20.0/24
-
@kiokoman said in IPSec mobile clients connecting to OpenVPN site-to-site VPN:
10.3.100.0/30
I tried this but it did not work - thoughts? thanks again
-
are you adding or modifying the phase ? did you also check the firewall rules ?
-
@kiokoman said in IPSec mobile clients connecting to OpenVPN site-to-site VPN:
are you adding or modifying the phase ? did you also check the firewall rules ?
Adding a second P2
I have all the ipsec and openvpn firewall rules set to allow all - is there something specific I should be checking?
-
ok i reproduced it on my lab and it's working now
on my lab i have ipsec to -> openvpn client to -> openvpn server
ipsec is 192.168.130.0/24
lan is 192.168.120/24
openvpn tunnel 10.3.100.0/30
openvpn server 10.3.100.0/30
remote lan 192.168.3.0/24ipsec:
client vpn:
server vpn:
be sure that ipv4 remote network on the openvpn server have the network of your ipsec defined
-
@kiokoman said in IPSec mobile clients connecting to OpenVPN site-to-site VPN:
idk i have reproduced this on my lab and i have the same problem. i'm still checking this
Thanks so much for the help!
One thing I thought of this morning is that the P2 rule I created was listed second - the first P2 was to route everything (0.0.0.0) and the second P2 was to route to the OpenVPN tunnel address. I will try reversing this order when I get a chance this morning to see if that helps.
Any advice you can offer would be greatly appreciated. Thanks again
-
i have modified my previus answer check that
-
That fixed it!
FWIW, I had to make the change in the client OpenVPN configuration to allow the IPSec IP range because in my configuration the IPSec connection is to the OpenVPN server.
Thanks again...please let me know if I can send you a cup of coffee for your help!
-
just press "thumb up" on the answer, the coffee would become cold :)
-
@kiokoman said in IPSec mobile clients connecting to OpenVPN site-to-site VPN:
just press "thumb up" on the answer, the coffee would become cold :)
Thumb up applied.
Thanks again!
