Routing OpenVPN client through Site to site IPSEC



  • Hi

    I know that there are lots of topics regarding these problems but none of them are helpful enough.

    We have two sites connected with a site to site IPSEC VPN. On the first site, we have an OpenVPN server that allows users to work from home, and we would like to allow users connected with OpenVPN clients to access on the second site network.

    We already add a phase 2 for the OpenVPN network in the IPSEC configuration but we still can't access the second site network when connected to the OpenVPN server.

    This is our current configuration :

    Config:
    pfSense site1 (s2s)
    Phase 1 :

    Key Exchange version : ikev2
    Internet Protocol : IPV4
    Interface: WAN
    Remote Gateway: external IP of site 2
    Authentication Method : Mutual PSK
    Negotiation mode : Main
    My identifier : My IP Address
    Peer identifier : Peer IP Address
    Pre-shared Key : The preshared key generated (same on each side)
    Encryption Algorithm : AES 256bits SHA256 14(2048 bit)

    Two phase 2 :
    First one is to connect local network of site 1 to the local network of site 2 :

    Mode : Tunnel IPV4
    Local Network : LAN Subnet
    NAT/BINAT : NONE
    Remote Network : The network of site 2
    Protocol : ESP
    Encryption Algorithms : AES 256
    Hash Algorithms : SHA256
    PFS key group : 14

    The second one is the one we add trying to allow openvpn subnet on IPSec :

    Mode : Tunnel IPV4
    Local Network : OpenVPN network address
    NAT/BINAT : NONE
    Remote Network : The network of site 2
    Protocol : ESP
    Encryption Algorithms : AES 256
    Hash Algorithms : SHA256
    PFS key group : 14

    pfSense site2 (s2s)
    Phase 1 :

    Key Exchange version : ikev2
    Internet Protocol : IPV4
    Interface: WAN
    Remote Gateway: external IP of site 2
    Authentication Method : Mutual PSK
    Negotiation mode : Main
    My identifier : My IP Address
    Peer identifier : Peer IP Address
    Pre-shared Key : The preshared key generated (same on each side)
    Encryption Algorithm : AES 256bits SHA256 14(2048 bit)

    2 phase 2 :
    First one is to connect local network of site 1 to the local network of site 2 :

    Mode : Tunnel IPV4
    Local Network : LAN Subnet
    NAT/BINAT : NONE
    Remote Network : The network of site 1
    Protocol : ESP
    Encryption Algorithms : AES 256
    Hash Algorithms : SHA256
    PFS key group : 14

    The second one is the one we add trying to allow openvpn subnet on IPSec :

    Mode : Tunnel IPV4
    Local Network : LAN subnet
    NAT/BINAT : NONE
    Remote Network : OpenVPN network address
    Protocol : ESP
    Encryption Algorithms : AES 256
    Hash Algorithms : SHA256
    PFS key group : 14

    The rules on the firewall are configured to allow anything for testing purpose.
    With this config when we try to access on site 2 with OpenVPN clients, there is no answer.


  • Banned

    I think someone asked that question with some different protocol. https://forum.netgate.com/topic/151606/openvpn-site-to-site-not-working-after-configuration-restore



  • Thanks for your answer but that is not really the same question. My site to site VPN is working and computers on site 1 can communicate with computers on site 2 and vice versa but computers connected to site 1 with OpenVPN clients can't communicate with Site 2.



  • @gaetanb76

    That is not the way the subject reads. I understood it to mean you were trying to send OpenVPN packets through IPSec, which shouldn't be a problem. However, in your comment, you say someone connected to site 1 via OpenVPN can't reach site 2. That's a routing problem. You have to specify a route from the OpenVPN clients to site 2.



  • Hello, I'm sorry if I didn't explain correctly before. Yes it looks like a routing probleme but I add a a "push route " in the OpenVPN server configuration and it still don't work.



  • @gaetanb76

    Does site 2 somehow know about that pushed route? I doubt it, so you'll need to configure a route there.



  • yes it seems that site 2 don't know a route to the OpenVPN subnet but there is nowhere I can configure a route because my IPSec don't have an interface in pfsense to add a gateway and a route.



  • @gaetanb76

    You don't add routing within a VPN. A VPN is just another IP connection. You do it in the pfSense routing page. It's in System / Routing / Static Routes.



  • I add a route on site 2 in PFsense and it's still not working.

    The network of OpenVPN is 10.10.181.0/24
    The local network of Site 1 is 172.16.0.0/16
    The local network of site 2 is 192.168.255.0/24

    so, in the openvpn configuration I add this command to push routes :
    push "route 192.168.255.0 255.255.255.0 10.10.181.1"

    And on the site 2 in System / Routing / Static Routes. I add a route to 10.10.181.0/24 using the WAN gateway (the only one we have).

    With this configuration it is not working, I can’t communicate from a computer connected to OpenVPN Server to Site 2, I can only communicate with site A computers.

    Thank you for trying to help me, I'm a beginner.



  • On the OpenVPN side, you shouldn't need a push route, just 172.16.0.0/16, 192.168.255.0/24 in your local nets. On the IPsec side, you need a phase2 for the site1 lan and openvpn network to the site2 network.



  • @dotdash Hi, Thanks for your answer. I just tried without the push route on the OpenVPN side and I already had phase 2 for OpenVPN subnet and LAN subnet on each side but it is still not working.

    It is like the request from openvpn clients to site 2 are not forwarding to the IPSEC Tunnel even with Allow ANY on the pfsense firewall.



  • The only firewall rules you'd need to check would be openvpn and ipsec (both sides). It's safe to test with any any on those tabs. Start a continuous ping or something, then check the states on both sides.



  • Hello, thank you all for your help, it now works with a route from site 2 to OpenVPN and a push route from openvpn to site 2. It seems that IPsec needed à restart.


Log in to reply