Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing OpenVPN client through Site to site IPSEC

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 4 Posters 956 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gaetanb76
      last edited by

      Hi

      I know that there are lots of topics regarding these problems but none of them are helpful enough.

      We have two sites connected with a site to site IPSEC VPN. On the first site, we have an OpenVPN server that allows users to work from home, and we would like to allow users connected with OpenVPN clients to access on the second site network.

      We already add a phase 2 for the OpenVPN network in the IPSEC configuration but we still can't access the second site network when connected to the OpenVPN server.

      This is our current configuration :

      Config:
      pfSense site1 (s2s)
      Phase 1 :

      Key Exchange version : ikev2
      Internet Protocol : IPV4
      Interface: WAN
      Remote Gateway: external IP of site 2
      Authentication Method : Mutual PSK
      Negotiation mode : Main
      My identifier : My IP Address
      Peer identifier : Peer IP Address
      Pre-shared Key : The preshared key generated (same on each side)
      Encryption Algorithm : AES 256bits SHA256 14(2048 bit)

      Two phase 2 :
      First one is to connect local network of site 1 to the local network of site 2 :

      Mode : Tunnel IPV4
      Local Network : LAN Subnet
      NAT/BINAT : NONE
      Remote Network : The network of site 2
      Protocol : ESP
      Encryption Algorithms : AES 256
      Hash Algorithms : SHA256
      PFS key group : 14

      The second one is the one we add trying to allow openvpn subnet on IPSec :

      Mode : Tunnel IPV4
      Local Network : OpenVPN network address
      NAT/BINAT : NONE
      Remote Network : The network of site 2
      Protocol : ESP
      Encryption Algorithms : AES 256
      Hash Algorithms : SHA256
      PFS key group : 14

      pfSense site2 (s2s)
      Phase 1 :

      Key Exchange version : ikev2
      Internet Protocol : IPV4
      Interface: WAN
      Remote Gateway: external IP of site 2
      Authentication Method : Mutual PSK
      Negotiation mode : Main
      My identifier : My IP Address
      Peer identifier : Peer IP Address
      Pre-shared Key : The preshared key generated (same on each side)
      Encryption Algorithm : AES 256bits SHA256 14(2048 bit)

      2 phase 2 :
      First one is to connect local network of site 1 to the local network of site 2 :

      Mode : Tunnel IPV4
      Local Network : LAN Subnet
      NAT/BINAT : NONE
      Remote Network : The network of site 1
      Protocol : ESP
      Encryption Algorithms : AES 256
      Hash Algorithms : SHA256
      PFS key group : 14

      The second one is the one we add trying to allow openvpn subnet on IPSec :

      Mode : Tunnel IPV4
      Local Network : LAN subnet
      NAT/BINAT : NONE
      Remote Network : OpenVPN network address
      Protocol : ESP
      Encryption Algorithms : AES 256
      Hash Algorithms : SHA256
      PFS key group : 14

      The rules on the firewall are configured to allow anything for testing purpose.
      With this config when we try to access on site 2 with OpenVPN clients, there is no answer.

      1 Reply Last reply Reply Quote 0
      • calvinsteelC
        calvinsteel Banned
        last edited by

        I think someone asked that question with some different protocol. https://forum.netgate.com/topic/151606/openvpn-site-to-site-not-working-after-configuration-restore

        1 Reply Last reply Reply Quote 0
        • G
          gaetanb76
          last edited by

          Thanks for your answer but that is not really the same question. My site to site VPN is working and computers on site 1 can communicate with computers on site 2 and vice versa but computers connected to site 1 with OpenVPN clients can't communicate with Site 2.

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott @gaetanb76
            last edited by

            @gaetanb76

            That is not the way the subject reads. I understood it to mean you were trying to send OpenVPN packets through IPSec, which shouldn't be a problem. However, in your comment, you say someone connected to site 1 via OpenVPN can't reach site 2. That's a routing problem. You have to specify a route from the OpenVPN clients to site 2.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • G
              gaetanb76
              last edited by

              Hello, I'm sorry if I didn't explain correctly before. Yes it looks like a routing probleme but I add a a "push route " in the OpenVPN server configuration and it still don't work.

              JKnottJ 1 Reply Last reply Reply Quote 0
              • JKnottJ
                JKnott @gaetanb76
                last edited by

                @gaetanb76

                Does site 2 somehow know about that pushed route? I doubt it, so you'll need to configure a route there.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • G
                  gaetanb76
                  last edited by

                  yes it seems that site 2 don't know a route to the OpenVPN subnet but there is nowhere I can configure a route because my IPSec don't have an interface in pfsense to add a gateway and a route.

                  JKnottJ 1 Reply Last reply Reply Quote 0
                  • JKnottJ
                    JKnott @gaetanb76
                    last edited by JKnott

                    @gaetanb76

                    You don't add routing within a VPN. A VPN is just another IP connection. You do it in the pfSense routing page. It's in System / Routing / Static Routes.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    • G
                      gaetanb76
                      last edited by

                      I add a route on site 2 in PFsense and it's still not working.

                      The network of OpenVPN is 10.10.181.0/24
                      The local network of Site 1 is 172.16.0.0/16
                      The local network of site 2 is 192.168.255.0/24

                      so, in the openvpn configuration I add this command to push routes :
                      push "route 192.168.255.0 255.255.255.0 10.10.181.1"

                      And on the site 2 in System / Routing / Static Routes. I add a route to 10.10.181.0/24 using the WAN gateway (the only one we have).

                      With this configuration it is not working, I can’t communicate from a computer connected to OpenVPN Server to Site 2, I can only communicate with site A computers.

                      Thank you for trying to help me, I'm a beginner.

                      1 Reply Last reply Reply Quote 0
                      • dotdashD
                        dotdash
                        last edited by

                        On the OpenVPN side, you shouldn't need a push route, just 172.16.0.0/16, 192.168.255.0/24 in your local nets. On the IPsec side, you need a phase2 for the site1 lan and openvpn network to the site2 network.

                        G 1 Reply Last reply Reply Quote 0
                        • G
                          gaetanb76 @dotdash
                          last edited by

                          @dotdash Hi, Thanks for your answer. I just tried without the push route on the OpenVPN side and I already had phase 2 for OpenVPN subnet and LAN subnet on each side but it is still not working.

                          It is like the request from openvpn clients to site 2 are not forwarding to the IPSEC Tunnel even with Allow ANY on the pfsense firewall.

                          1 Reply Last reply Reply Quote 0
                          • dotdashD
                            dotdash
                            last edited by

                            The only firewall rules you'd need to check would be openvpn and ipsec (both sides). It's safe to test with any any on those tabs. Start a continuous ping or something, then check the states on both sides.

                            1 Reply Last reply Reply Quote 0
                            • G
                              gaetanb76
                              last edited by

                              Hello, thank you all for your help, it now works with a route from site 2 to OpenVPN and a push route from openvpn to site 2. It seems that IPsec needed à restart.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.