Route OpenVPN Traffic through IPsec Tunnel



  • Hi folks :)

    I seem to miss some routing / forwarding in my setup i hope you can help :)

    Current Setup:

    1. Client to Site VPN through OpenVPN Server on PfSense --> everything works fine there in can interacet with the LAN Network of the pfSense from remote.

    2. Site to Site IPsec tunnel --> works fine too, the clients on the LAN network conntected to the pfSense can interact with the remote subnet of the other site.

    So far so good...

    what i want now is to be able to interact with clients on the remote site via my OpenVPN tunnel.

    Examples:

    client 10.0.0.2 ----openvpn-tunnel-----pfsense---LAN 172.17.16.0/24 --> Works

    LAN 172.17.16.0/24----pfsense---------IPsec-tunnel------remote-site 172.17.20.0/24 --> Works

    client 10.0.0.2 ----openvpn-tunnel-----pfsense------IPsec-tunnel------remote-site 172.17.20.0/24 --> NOT Working

    I think i have to configure some outbound NAT or Gateway / routing to accomplish this?

    regards



  • To the IPSec configuration you have to add an additional phase 2 for the OpenVPN tunnel network and the remote network on both sites.
    E.g. Local:
    local network: 10.0.0.0/24
    remote network: 172.17.16.0/24
    remote:
    local network: 172.17.16.0/24
    remote network: 10.0.0.0/24

    And in the OpenVPN settings, if not using "Redirect gateway", you have to add the remote network to the "IPv4 Local Network/s" to push the route to the clients.



  • Hi @viragomann

    thx for your reply!

    I made an extra phase 2 as suggested, my traffic goes now through the ipsec tunnel and comes back, but dont enter the openvpn tunnel again... what am i missing?

    10.0.0.3 --> IP from my Client connected over OpenVPN
    172.16.187.12 --> IP of the component in the remote subnet

    packet capture from openvpn Interface, pinging a component in the remote subnet -> no traffic comes back...
    openvpn_interface.png

    packet capture from IPsec interface, pinging the same component in the remote subnet -> traffic flows in both ways
    ipsec_interface.png

    So my ping reach the remote component, flows back over the IPsec tunnel but then goes lost...?



  • The second packet capture is also taken from the local pfSense, which is running the access OpenVPN server?

    Do you run multiple OpenVPN instances there, both server and clients?



  • Yes the capture is from the same pfsense box running the server - this boggles my mind, how is this not working, how does this traffic gets lost?

    there is only one OpenVPN Server running. The client from which the Ping originates is connected to this server. the component on the remote subnet receives the ping and sends it back to the pfSense over the IPsec tunnel as seen in the second capture but then it somehow get lost...



  • Strange. Did you already reboot the pfSense box?

    Some guys who had similar issues here succeed after pulling down the OpenVPN server or the whole pfSense and rebuild it again.


Log in to reply