Routing OpenVPN client through Site to site IPSEC
-
Hi
I know that there are lots of topics regarding these problems but none of them are helpful enough.
We have two sites connected with a site to site IPSEC VPN. On the first site, we have an OpenVPN server that allows users to work from home, and we would like to allow users connected with OpenVPN clients to access on the second site network.
We already add a phase 2 for the OpenVPN network in the IPSEC configuration but we still can't access the second site network when connected to the OpenVPN server.
This is our current configuration :
Config:
pfSense site1 (s2s)
Phase 1 :Key Exchange version : ikev2
Internet Protocol : IPV4
Interface: WAN
Remote Gateway: external IP of site 2
Authentication Method : Mutual PSK
Negotiation mode : Main
My identifier : My IP Address
Peer identifier : Peer IP Address
Pre-shared Key : The preshared key generated (same on each side)
Encryption Algorithm : AES 256bits SHA256 14(2048 bit)Two phase 2 :
First one is to connect local network of site 1 to the local network of site 2 :Mode : Tunnel IPV4
Local Network : LAN Subnet
NAT/BINAT : NONE
Remote Network : The network of site 2
Protocol : ESP
Encryption Algorithms : AES 256
Hash Algorithms : SHA256
PFS key group : 14The second one is the one we add trying to allow openvpn subnet on IPSec :
Mode : Tunnel IPV4
Local Network : OpenVPN network address
NAT/BINAT : NONE
Remote Network : The network of site 2
Protocol : ESP
Encryption Algorithms : AES 256
Hash Algorithms : SHA256
PFS key group : 14pfSense site2 (s2s)
Phase 1 :Key Exchange version : ikev2
Internet Protocol : IPV4
Interface: WAN
Remote Gateway: external IP of site 2
Authentication Method : Mutual PSK
Negotiation mode : Main
My identifier : My IP Address
Peer identifier : Peer IP Address
Pre-shared Key : The preshared key generated (same on each side)
Encryption Algorithm : AES 256bits SHA256 14(2048 bit)2 phase 2 :
First one is to connect local network of site 1 to the local network of site 2 :Mode : Tunnel IPV4
Local Network : LAN Subnet
NAT/BINAT : NONE
Remote Network : The network of site 1
Protocol : ESP
Encryption Algorithms : AES 256
Hash Algorithms : SHA256
PFS key group : 14The second one is the one we add trying to allow openvpn subnet on IPSec :
Mode : Tunnel IPV4
Local Network : LAN subnet
NAT/BINAT : NONE
Remote Network : OpenVPN network address
Protocol : ESP
Encryption Algorithms : AES 256
Hash Algorithms : SHA256
PFS key group : 14The rules on the firewall are configured to allow anything for testing purpose.
With this config when we try to access on site 2 with OpenVPN clients, there is no answer. -
I think someone asked that question with some different protocol. https://forum.netgate.com/topic/151606/openvpn-site-to-site-not-working-after-configuration-restore
-
Thanks for your answer but that is not really the same question. My site to site VPN is working and computers on site 1 can communicate with computers on site 2 and vice versa but computers connected to site 1 with OpenVPN clients can't communicate with Site 2.
-
That is not the way the subject reads. I understood it to mean you were trying to send OpenVPN packets through IPSec, which shouldn't be a problem. However, in your comment, you say someone connected to site 1 via OpenVPN can't reach site 2. That's a routing problem. You have to specify a route from the OpenVPN clients to site 2.
-
Hello, I'm sorry if I didn't explain correctly before. Yes it looks like a routing probleme but I add a a "push route " in the OpenVPN server configuration and it still don't work.
-
Does site 2 somehow know about that pushed route? I doubt it, so you'll need to configure a route there.
-
yes it seems that site 2 don't know a route to the OpenVPN subnet but there is nowhere I can configure a route because my IPSec don't have an interface in pfsense to add a gateway and a route.
-
You don't add routing within a VPN. A VPN is just another IP connection. You do it in the pfSense routing page. It's in System / Routing / Static Routes.
-
I add a route on site 2 in PFsense and it's still not working.
The network of OpenVPN is 10.10.181.0/24
The local network of Site 1 is 172.16.0.0/16
The local network of site 2 is 192.168.255.0/24so, in the openvpn configuration I add this command to push routes :
push "route 192.168.255.0 255.255.255.0 10.10.181.1"And on the site 2 in System / Routing / Static Routes. I add a route to 10.10.181.0/24 using the WAN gateway (the only one we have).
With this configuration it is not working, I can’t communicate from a computer connected to OpenVPN Server to Site 2, I can only communicate with site A computers.
Thank you for trying to help me, I'm a beginner.
-
On the OpenVPN side, you shouldn't need a push route, just 172.16.0.0/16, 192.168.255.0/24 in your local nets. On the IPsec side, you need a phase2 for the site1 lan and openvpn network to the site2 network.
-
@dotdash Hi, Thanks for your answer. I just tried without the push route on the OpenVPN side and I already had phase 2 for OpenVPN subnet and LAN subnet on each side but it is still not working.
It is like the request from openvpn clients to site 2 are not forwarding to the IPSEC Tunnel even with Allow ANY on the pfsense firewall.
-
The only firewall rules you'd need to check would be openvpn and ipsec (both sides). It's safe to test with any any on those tabs. Start a continuous ping or something, then check the states on both sides.
-
Hello, thank you all for your help, it now works with a route from site 2 to OpenVPN and a push route from openvpn to site 2. It seems that IPsec needed à restart.
