Route to IPSec Tunnel from OpenVPN Client
-
I have pfsense running a site to site IPSec Tunnel and an OpenVPN Server. The IPSec Tunnel is creating a tunnel from a remote 10.10.99.0/24 network to a local 10.10.88.0/24 that is then NAT'd to my LAN 10.10.5.0/24. I don't have control over the 10.10.88.0/24 network being chosen, which is why I had to NAT it to my LAN.
I can access resources on the remote IPSec endpoint (10.10.99.0/24) from my LAN with no problems. I am having trouble accessing that network from my OpenVPN clients on a 10.10.6.0/24 network.
On OpenVPN I have pushed routes for both the LAN 10.10.5.0/24 and the IPSec 10.10.99.20, but I still cannot connect to the IPSec network from the OpenVPN.
I'm sure it has something to do with the 10.10.88.0/24 NAT to the IPSec endpint, but I don't know how to fix this.
Any recommendations? I am not able to change the site to site settings for the IPSec Tunnel except for possibly changing the NAT on my local end.
** Edit: I can connect from LAN to IPSec and OpenVPN to LAN with no problem. Just the OpenVPN to IPSec is not working.
-
@sgnoc
I'm not using IPSec tunnels , so not an expert there.
But it could be that your remote IPSec end , does not have a route back to your OpenVPN clients (via the IPSec tunnel).1: Best
Qualified guessing (IPsec) ... (Some IPsec guru might chip in here)
I think the IPSec lans are negotiated during IPSec phase 2, and you might (guesswork) , add your OpenVPN Lan to your pfSense IPSec phase 2.2: Hack
The other "hack" , could be to NAT your OpenVPN clients to appear as comming from your (already known) Lan if the destination is the remote IPSec Lan.Edit: Nat questions ?
Is the remote end seeing your lan as the natted range ?
Or is the local end seeing the remote lan as the natted range ?What should the OpenVPN clients be seen as on the remote ?
What should the remote lan be seen as by the OpenVPN clients ?I Can't be of more help here.
/Bingo
-
@bingo600 Thanks! That got me exactly what I needed.
I was able to create a second Phase 2 connection and split the NAT subnet. So I changed the 10.10.88.0/24 NAT into two 10.10.88.0/25 and 10.10.88.128/25 and used one for the LAN and one for the OpenVPN connections. That got pfSense to add a route from the OpenVPN network through the tunnel for the remote network subnet. So now my OpenVPN connections are able to communicate through pfsense to the IPSec.
-
