Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    (SOLVED) IPSec with VPN clients

    Scheduled Pinned Locked Moved IPsec
    6 Posts 2 Posters 645 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pvn
      last edited by pvn

      I have successfully connected two offices with pfSense and IPSec:

      Office A:
      LAN: 10.0.0.1/16
      VPN: 172.16.123.1/24

      IPSec P2 configuration 1:
      Local Subnet: LAN (which is 10.0.0.0/16)
      Remote Subnet: 10.1.0.0/16

      IPSec P2 configuration 2:
      Local Subnet: 172.16.123.0/24
      Remote Subnet: 10.1.0.0/16

      Office B:
      LAN: 10.1.0.1/16
      VPN: 172.16.122.1/24

      IPSec P2 configuration 1:
      Local Subnet: LAN (which is 10.1.0.0/16)
      Remote Subnet: 10.0.0.0/16

      IPSec P2 configuration 2:
      Local Subnet: 172.16.122.0/24
      Remote Subnet: 10.0.0.0/16

      In both OpenVPN servers I have:
      IPv4 Local networks: 10.0.0.0/16, 10.1.0.0/16
      I am successfully pushing both routes to the VPN clients.

      Computers from LAN A can ping computers from LAN B over the IPSec tunnel. The opposite is also true.
      VPN clients connected to Office A can ping computers in LAN A
      VPN clients connected to Office B can ping computers in LAN B

      The problem: VPN clients connected to Office A cannot ping computers in LAN B.
      VPN clients connected to Office B cannot ping computers in LAN A.

      The firewall is wide open.

      Any ideas?

      N 1 Reply Last reply Reply Quote 0
      • N
        netblues @pvn
        last edited by

        @pvn Are you allowing (protecting in ipsec terminology) the openvpn ip's at the p2 level of ipsec?
        A second thing would be, unless pf is also the default gateway for both sites, if hosts have necessary routes for other sites openvpn addresses.

        1 Reply Last reply Reply Quote 0
        • P
          pvn
          last edited by pvn

          Yes, in both sites in IPSec configuration I have two P2: One for LAN to LAN and the second one for VPN subnet to LAN.
          Local LAN to Remote LAN works. VPN to Local LAN also works. VPN to Remote LAN does not work.

          ipsec_p2.png

          pfSense is default gateway in both sites.

          N 1 Reply Last reply Reply Quote 0
          • N
            netblues @pvn
            last edited by

            @pvn I haven't tried it but it seems that 172.16.xx.xx is remote traffic for ipsec Try changing the mask on all p2 negotiations to 172.16.0.0/16 and or check ip sec logs...
            If its not firewalling and not routing, it has to be ipsec....

            1 Reply Last reply Reply Quote 0
            • P
              pvn
              last edited by pvn

              172.16.123.0/24 is the IPv4 Tunnel Network for Office A
              172.16.122.0/24 is the IPv4 Tunnel Network for Office B

              I am seeing the following in the IPSec logs:

              Jan 5 09:44:11	charon		10[CFG] <con1000|4> config: 10.1.0.0/16|/0, received: 10.1.0.0/16|/0 => match: 10.1.0.0/16|/0
              Jan 5 09:44:11	charon		10[CFG] <con1000|4> config: 172.16.122.0/24|/0, received: 10.1.0.0/16|/0 => no match
              
              
              Jan 5 09:44:11	charon		10[CFG] <con1000|4> config: 10.0.0.0/16|/0, received: 10.0.0.0/16|/0 => match: 10.0.0.0/16|/0
              Jan 5 09:44:11	charon		10[CFG] <con1000|4> config: 10.0.0.0/16|/0, received: 172.16.123.0/24|/0 => no match
              

              I am pretty sure my second P2 for the VPN subnet is incorrect. Could someone help me with that?

              1 Reply Last reply Reply Quote 0
              • P
                pvn
                last edited by pvn

                I solved it!

                As suspected the problem was in the second P2 that is dealing with the VPN subnet. Each P2 should have a match on the other site but mirrored. And since I needed:

                VPN clients connected to Office A to be able to access machines in Office B LAN
                and
                VPN clients connected to Office B to be able to access machines in Office A LAN

                This required a third pair of P2 on both sides.

                ipsec_p2_final.png

                Thanks @netblues for the ideas!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.