Client connected via OpenVPN, not routing through IPSec
I have 2 sites connected via IPSec tunnel (and soon a third site). One site, let's call it A, provides VPN service using OpenVPN. When pinging an address at site B, I get the following message:
36 bytes from 10.3.20.1: Time to live exceeded Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 aa2d 0 0000 01 01 0000 10.3.101.2 10.0.20.23 Request timeout for icmp_seq 0
Capturing the traffic on site A's OpenVPN server interface:
10:01:12.219901 IP 10.3.20.1 > 10.3.101.2: ICMP time exceeded in-transit, length 72 10:01:14.377123 IP 10.3.101.1 > 10.3.101.2: ICMP time exceeded in-transit, length 36 10:01:14.399681 IP 10.3.101.1 > 10.3.101.2: ICMP time exceeded in-transit, length 36 10:01:14.412161 IP 10.3.101.1 > 10.3.101.2: ICMP time exceeded in-transit, length 36 10:01:14.435558 IP 10.3.20.1 > 10.3.101.2: ICMP time exceeded in-transit, length 36
When ssh'in into site A's gateway I can ping the address in site A's subnet. I can log into site B's gateway and ping addresses in site A's subnets. So, I guess the IPSec tunnel might be configured correctly.
There are several subnets on each site (seven ATM). I configured a phase 2 for each of the subnets. The config looks like this:
Local Network: <specific> subnet
Remote Network: <corresponding subnet on other site>
As IPSec is somewhat new to me, I cannot rule out that I botched that part. :-)
Can someone point me into the right direction?
You also need a phase 2 for the OpenVPN tunnel network on both IPSeec routers for each network you want to access on site B.
@viragomann Oh, thanks. Sometimes it's so 'easy'.
Now, at least, the ping reaches the ovpns2 interface on site A in a form that's more as I expect. But it still doesn't get routed through enc0. I checked if I needed additional static routes or gateways but there's nothing to consider regarding the OpenVPN subnet as far as I see (which might not be far enough).
So, site A receives ICMP echo requests at ovpns2. But I cannot see where they go next or if they go anywhere at this point.
I should add that the firewall allows all traffic on all interfaces participating, namely IPSec and OpenVPN at the moment.
The solution to my problem was to ditch policy-based IPSec and switch to route-based IPSec. This reduces the number of phase 2 entries by a lot but requires more static routes. IMHO it's better this way because there's no intransparent mix of different ways of routing packages between their destinations. Now everything is just in the routing table.