Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Route to IPSec Tunnel from OpenVPN Client

    IPsec
    2
    4
    402
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sgnoc
      last edited by sgnoc

      I have pfsense running a site to site IPSec Tunnel and an OpenVPN Server. The IPSec Tunnel is creating a tunnel from a remote 10.10.99.0/24 network to a local 10.10.88.0/24 that is then NAT'd to my LAN 10.10.5.0/24. I don't have control over the 10.10.88.0/24 network being chosen, which is why I had to NAT it to my LAN.

      I can access resources on the remote IPSec endpoint (10.10.99.0/24) from my LAN with no problems. I am having trouble accessing that network from my OpenVPN clients on a 10.10.6.0/24 network.

      On OpenVPN I have pushed routes for both the LAN 10.10.5.0/24 and the IPSec 10.10.99.20, but I still cannot connect to the IPSec network from the OpenVPN.

      I'm sure it has something to do with the 10.10.88.0/24 NAT to the IPSec endpint, but I don't know how to fix this.

      Any recommendations? I am not able to change the site to site settings for the IPSec Tunnel except for possibly changing the NAT on my local end.

      ** Edit: I can connect from LAN to IPSec and OpenVPN to LAN with no problem. Just the OpenVPN to IPSec is not working.

      bingo600B 1 Reply Last reply Reply Quote 0
      • bingo600B
        bingo600 @sgnoc
        last edited by bingo600

        @sgnoc
        I'm not using IPSec tunnels , so not an expert there.
        But it could be that your remote IPSec end , does not have a route back to your OpenVPN clients (via the IPSec tunnel).

        1: Best
        Qualified guessing (IPsec) ... (Some IPsec guru might chip in here)
        I think the IPSec lans are negotiated during IPSec phase 2, and you might (guesswork) , add your OpenVPN Lan to your pfSense IPSec phase 2.

        2: Hack
        The other "hack" , could be to NAT your OpenVPN clients to appear as comming from your (already known) Lan if the destination is the remote IPSec Lan.

        Edit: Nat questions ?
        Is the remote end seeing your lan as the natted range ?
        Or is the local end seeing the remote lan as the natted range ?

        What should the OpenVPN clients be seen as on the remote ?
        What should the remote lan be seen as by the OpenVPN clients ?

        I Can't be of more help here.

        /Bingo

        If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

        pfSense+ 23.05.1 (ZFS)

        QOTOM-Q355G4 Quad Lan.
        CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
        LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

        S 1 Reply Last reply Reply Quote 1
        • S
          sgnoc @bingo600
          last edited by

          @bingo600 Thanks! That got me exactly what I needed.

          I was able to create a second Phase 2 connection and split the NAT subnet. So I changed the 10.10.88.0/24 NAT into two 10.10.88.0/25 and 10.10.88.128/25 and used one for the LAN and one for the OpenVPN connections. That got pfSense to add a route from the OpenVPN network through the tunnel for the remote network subnet. So now my OpenVPN connections are able to communicate through pfsense to the IPSec.

          bingo600B 1 Reply Last reply Reply Quote 0
          • bingo600B
            bingo600 @sgnoc
            last edited by

            @sgnoc
            Cool šŸ‘

            Great that my brainstorming was of help

            /Bingo

            If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

            pfSense+ 23.05.1 (ZFS)

            QOTOM-Q355G4 Quad Lan.
            CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
            LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

            1 Reply Last reply Reply Quote 0
            • First post
              Last post