OpenVPN client subnet is not routed to IPSec tunnel



  • Hi,

    There're two pfSense routers with IPSec tunnel setup in between. It's working fine with a single Phase2 entry which routes LAN traffic to the tunnel:
    8e1a0100-ce75-4532-9abf-d7264dc84e7e-image.png

    Now I added OpenVPN client subnet (well, for testing purposes just a single client IP at the moment) as a 2nd Phase2 entry:
    6775c7aa-b380-4921-b178-cbeadee5d068-image.png

    172.26.1.1 is local pfSense; I'm able to ping remote side from this IP:

    # ping -S 172.26.1.1 10.100.10.114
    PING 10.100.10.114 (10.100.10.114) from 172.26.1.1: 56 data bytes
    64 bytes from 10.100.10.114: icmp_seq=0 ttl=63 time=143.874 ms
    

    When pinging from openvpn client, I see the traffic coming into pfsense, but no traffic goes to the tunnel:

    # tcpdump -nn -i ovpns3 host 10.100.10.114 and icmp
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on ovpns3, link-type NULL (BSD loopback), capture size 262144 bytes
    15:45:08.440499 IP 192.168.210.178 > 10.100.10.114: ICMP echo request, id 1, seq 242, length 40
    ^C
    1 packet captured
    3968 packets received by filter
    0 packets dropped by kernel
    
    # tcpdump -nn -i enc0 host 10.100.10.114 and icmp
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 262144 bytes
    ^C
    0 packets captured
    50 packets received by filter
    0 packets dropped by kernel
    

    There're no blocking rules on in the firewall:
    03ba0e98-b6fa-47ed-8a3c-97b131fc8951-image.png
    9277be5c-5bc0-4437-af71-04889e169687-image.png

    # cat /usr/local/etc/ipsec.conf
    config setup
            uniqueids = yes
    
    conn con2000
            fragmentation = yes
            keyexchange = ikev2
            reauth = yes
            forceencaps = no
            mobike = no
    
            rekey = yes
            installpolicy = yes
            type = tunnel
            dpdaction = restart
            dpddelay = 10s
            dpdtimeout = 60s
            auto = route
            left = 95.x.x.x
            right = 66.x.x.x
            leftid = fqdn:axxxxxxxx
            ikelifetime = 3600s
            lifetime = 3600s
            ike = aes128gcm128-aesxcbc-modp2048!
            esp = aes128gcm128-modp1024,aes128gcm128-modp2048,aes128gcm128-modp2048,aes128gcm128-modp2048,aes128gcm128-modp2048!
            leftauth = psk
            rightauth = psk
            rightid = 66.x.x.x
            rightsubnet = 10.100.0.0/16
            leftsubnet = 172.26.0.0/16,172.26.1.1|192.168.210.178
    

    Please, help me figure out why the packets do not reach the ipsec tunnel.


  • LAYER 8 Moderator

    Why are you doing BiNAT on your VPN Subnet (192.168.x.x) in the first place and not simply using it like your 10.100.0.0/16 in the first P2 phase?

    Also did you configure your OpenVPN tunnel to actually route 10.100.0.0/16 via your VPN? Otherwise it won't reach pfsense in the first place.



  • It's b/c I don't want to make the other side aware of another subnet - it might be in use.

    Also did you configure your OpenVPN tunnel to actually route 10.100.0.0/16 via your VPN? Otherwise it won't reach pfsense in the first place.

    Where should I set this up?
    As I mentioned, I do see the openvpn client traffic coming into pfsense thru the openvpn connection (see tcpdump -i ovnps3 output in my 1st message)


  • LAYER 8 Moderator

    @jazzl0ver said in OpenVPN client subnet is not routed to IPSec tunnel:

    Where should I set this up?

    in your OpenVPN Server - where you define the "local" networks. There you can add further networks by adding them comma separated.



  • Yes, the route is in place. Otherwise I wouldn't see incoming packets in pfsense from my openvpn client.


  • LAYER 8 Moderator

    OK if it is seen inbound on the ovpns interface, the route is there. :)

    If it's not outbound via the IPsec tunnel (enc0) then the route from your OVPN RAS network isn't defined in a P2 of your tunnel so it isn't picked up by the ipsec service.

    What is your OVPN tunnel network? The network your client gets assigned an address after dialing in?
    Also if you want to hide it, I'd use a simpler BiNAT to an address that is not used on your firewall or the other sides network.



  • Looks like you didn't read my 1st message completely :( I specifically showed my ipsec config. Check this part:

            rightsubnet = 10.100.0.0/16
            leftsubnet = 172.26.0.0/16,172.26.1.1|192.168.210.178
    

    So, I guess, this defines the P2 route.

    My OVPN network is 192.168.210.128/26.

    What do you mean by "simpler BiNAT"? I'm trying to use the ipsec functionality that is well-documented in pfSense docs (https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/nat-with-ipsec-phase-2-networks.html).


  • LAYER 8 Moderator

    No, I didn't ignore it, but as I wrote you map your OVPN network to an IP probably in use in another phase or on the LAN? That's why I was mentioning, you should use another network or IP that isn't used on either side if you want to BiNAT or outbound NAT your 192.168.210.x/26 network

    Also you were only NATting the specific IP .178 so if you didn't do some magic in OpenVPN you could get another random IP from your /26 subnet that won't get routed through the tunnel.

    So you should setup your additional phase 2 to something like

    • local net: 192.168.210.126/26
    • BiNAT: <some IP NOT from your LAN or any network on the remote side>
    • remote: 10.100.0.0/16

    Sorry if you think I overlooked some details but you e.g. didn't tell us what the LAN(s) on pfSense or remote side are so I can only guess which IP ranges are in play and why your address of 172.26.1.1 didn't work. Is 172.26.1.0/24 the pfSense LAN side? Or is 172.26.x.y in use there?
    How is the other side configured? Both P2s there? How is the additional P2 setup on the remote side?



  • The point is that I want to use just a single P2 entry:

             left                        right
    172.26.0.0/16 -- ipsec tunnel -- 10.100.0.0/16
    

    and NAT any other possible subnets from the left side to the existing P2 left subnet or address (from 172.26.0.0/16 range).

    Are you saying it's not possible?

    PS Yes, I made that magic and openvpn always gives me a certain IP.
    PPS left LAN is 172.26.0.0 /16
    PPPS The other side has a single P2 entry (why are you saying both P2s?) with the same subnets (just swapped). As I said, ipsec tunnel works well, I can ping the other side from pfSense's IP (172.26.1.1) as well as from other left LAN PCs.


  • LAYER 8 Moderator

    Are you saying it's not possible?

    Actually I'm not sure. Never even thought of using it that way but it could make problems as the 172.26.1.1 is on your LAN side and NATting ovpns0 to enc0 with that could screw with some routing logic as perhaps the IPsec deamon only picks it up coming from LAN. Could be that the rewriting done by NAT comes too late for that. But just a guess here.

    PS Yes, I made that magic and openvpn always gives me a certain IP.

    Alright, just wanted to check :)

    The other side has a single P2 entry (why are you saying both P2s?)

    Because the way I'd have it set up would have been like NATting the OVPN network to some IP not in use, say 172.27.1.1 and add another P2 entry to both sides with the corresponding network.


  • LAYER 8 Moderator

    Addendum:

    AH now I understand (after your edit with the "I want to use a single P2 entry"

    Could you post your IPsec P2 again please?
    I think I know why (and that) it won't work?



  • Sure.

    # cat /var/etc/ipsec/ipsec.conf
    # This file is automatically generated. Do not edit
    config setup
            uniqueids = yes
    
    conn con2000
            fragmentation = yes
            keyexchange = ikev2
            reauth = yes
            forceencaps = no
            mobike = no
    
            rekey = yes
            installpolicy = yes
            type = tunnel
            dpdaction = restart
            dpddelay = 10s
            dpdtimeout = 60s
            auto = route
            left = 95.x.x.x
            right = 66.x.x.x
            leftid = fqdn:axxxxxxx
            ikelifetime = 3600s
            lifetime = 3600s
            ike = aes128gcm128-aesxcbc-modp2048!
            esp = aes128gcm128-modp1024,aes128gcm128-modp2048!
            leftauth = psk
            rightauth = psk
            rightid = 66.x.x.x
            rightsubnet = 10.100.0.0/16
            leftsubnet = 172.26.0.0/16,172.26.1.1|192.168.210.178
    

    9f67390c-0ea4-430d-98a6-1a1df240868d-image.png

    3282d82e-5448-4250-b1f2-0917bd22988c-image.png

    a7f446c4-b088-462f-9abb-0571504f0acb-image.png

    (And, yes, I tried to disconnect ipsec tunnel and restart ipsec daemon to make the changes applied for sure)


  • LAYER 8 Moderator

    So you have two phase 2 entries, not just one. Do you have that on the other side, too? As you wrote:

    The point is that I want to use just a single P2 entry:

    I thought you only had one? If you define 2 P2s on one side, that has to match the other side. There's no way you can run "just one" on the other side. The Phases have to match.

    Greets
    \jens



  • That makes sense! I indeed missed that point. Thanks for the explanation!

    Is there a way to NAT a local subnet/address into pfsense's address, so it would travel thru the ipsec tunnel?
    I just tried to add 192.168.210.178 to outbound nat but that didn't work:
    06525de4-c5a3-427b-97bb-015d54f1d553-image.png
    (Also tried to specify "Interface address" in NAT Address field)


  • LAYER 8 Moderator

    Hmm, I don't think that outbound NAT will work on IPsec with a NAT address from LAN but I'm unsure.

    But as you told us in the OP, that both ends are pfSense? You could change the tunnel to an VTI style tunnel, then you can simply route your networks via the transfer net you define on the VTI phase and as there's a pseudo interface like in OVPN, it should also be possible to NAT traffic to your hearts content ;) as your tunnel has a fixed IP on one and the other side (the tunnel transfer net/gws) that you can NAT on.



  • Yeah, I'm aware of VTI, but this is not always possible. Anyway, thank you for your valuable help!


  • LAYER 8 Moderator

    Glad I could be helping you :)


Log in to reply