• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Client connected via OpenVPN, not routing through IPSec

Scheduled Pinned Locked Moved OpenVPN
4 Posts 2 Posters 428 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    Masin Al-Dujaili
    last edited by Jul 31, 2020, 8:25 AM

    Hello!

    I have 2 sites connected via IPSec tunnel (and soon a third site). One site, let's call it A, provides VPN service using OpenVPN. When pinging an address at site B, I get the following message:

    36 bytes from 10.3.20.1: Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 aa2d   0 0000  01  01 0000 10.3.101.2  10.0.20.23 

Request timeout for icmp_seq 0

    Capturing the traffic on site A's OpenVPN server interface:

    10:01:12.219901 IP 10.3.20.1 > 10.3.101.2: ICMP time exceeded in-transit, length 72
10:01:14.377123 IP 10.3.101.1 > 10.3.101.2: ICMP time exceeded in-transit, length 36
10:01:14.399681 IP 10.3.101.1 > 10.3.101.2: ICMP time exceeded in-transit, length 36
10:01:14.412161 IP 10.3.101.1 > 10.3.101.2: ICMP time exceeded in-transit, length 36
10:01:14.435558 IP 10.3.20.1 > 10.3.101.2: ICMP time exceeded in-transit, length 36

    When ssh'in into site A's gateway I can ping the address in site A's subnet. I can log into site B's gateway and ping addresses in site A's subnets. So, I guess the IPSec tunnel might be configured correctly.

    But!:

    There are several subnets on each site (seven ATM). I configured a phase 2 for each of the subnets. The config looks like this:
    Local Network: <specific> subnet
    NAT/BINAT: none
    Remote Network: <corresponding subnet on other site>

    As IPSec is somewhat new to me, I cannot rule out that I botched that part. :-)

    Can someone point me into the right direction?

    Bests,
    Masin Al-Dujaili

    1 Reply Last reply Reply Quote 0
    • V
      viragomann
      last edited by Jul 31, 2020, 9:57 AM

      You also need a phase 2 for the OpenVPN tunnel network on both IPSeec routers for each network you want to access on site B.

      M 1 Reply Last reply Jul 31, 2020, 10:27 AM Reply Quote 1
      • M
        Masin Al-Dujaili @viragomann
        last edited by Jul 31, 2020, 10:27 AM

        @viragomann Oh, thanks. Sometimes it's so 'easy'. 😂

        Now, at least, the ping reaches the ovpns2 interface on site A in a form that's more as I expect. But it still doesn't get routed through enc0. I checked if I needed additional static routes or gateways but there's nothing to consider regarding the OpenVPN subnet as far as I see (which might not be far enough).

        So, site A receives ICMP echo requests at ovpns2. But I cannot see where they go next or if they go anywhere at this point.

        I should add that the firewall allows all traffic on all interfaces participating, namely IPSec and OpenVPN at the moment.

        M 1 Reply Last reply Aug 2, 2020, 2:39 PM Reply Quote 0
        • M
          Masin Al-Dujaili @Masin Al-Dujaili
          last edited by Aug 2, 2020, 2:39 PM

          The solution to my problem was to ditch policy-based IPSec and switch to route-based IPSec. This reduces the number of phase 2 entries by a lot but requires more static routes. IMHO it's better this way because there's no intransparent mix of different ways of routing packages between their destinations. Now everything is just in the routing table.

          1 Reply Last reply Reply Quote 0
          1 out of 4
          • First post
            1/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received