OpenVPN client to remote IPsec network



  • OpenVPN clients -> pfSense -> IPsec remote network

    LAN: 10.0.200.0/24
    OpenVPN clients: 10.0.201.0/24
    Remote IPsec network: 10.0.202.0/24

    I have a pfSense router with OpenVPN and IPsec configured. I want OpenVPN clients (me, remotely working), to be able to access the remote IPsec network. But when I ping from an OpenVPN client to the IPsec remote network, the pings exit via the pfSense WAN interface with no encapsulation.

    The IPsec connection is definitely working because I can access the remote IPsec network from local LAN IPs.

    Both routers are pfSense. I have set up appropriate Phase 2 entries on both the local pfSense and the remote IPsec pfSense router. I've made sure the firewall rules pass the traffic.

    I found documentation about IPsec and traffic from the firewall itself and how you need to do a trick to fake it out by setting up a gateway and static route to prevent packets from exiting via the WAN. Figuring this might apply to my situation too, I tried something like that solution, where destination 10.0.202.0/24 traffic is forwarded to a gateway set to the firewall's LAN IP 10.0.200.1, but this caused a routing loop with ICMP exceeded responses to the OpenVPN client.

    Various threads around here make it sound like all that's required are the Phase 2 entries I set up, but it's not working for me.

    One oddity I noticed that may provide a clue is that the IPsec Status > SPD tab on the local pfSense shows no entries for the OpenVPN 10.0.201.0/24 network, which isn't expected. But the IPsec remote pfSense does show the entries, as expected.

    Any ideas?



  • @scurrier It's inexplicably working now. Maybe one of the NAT changes I made took after I tested it earlier. I will explore more later and see if I can report back on what the issue was.



  • The problem was indeed the NAT/BINAT setting in the associated phase 2. When I set it to a single IP address, the traffic exits the local pfSense via the WAN. When I set it to None, the tunnel works but without the NAT obviously. How do I enable NAT correctly here?


Log in to reply