Help me add access to IPsec site B via OpenVpn RW site A
-
Hello.
Please bear me with me as this is first time settings IPsec.
Site B is a remote IPsec server, no access from me, so I have to work with what I have.
Site B is 10.0.1.0/24
Due to their restrictions the tunnel have to be NATed 10.201.0.0/16I have 3 subnets on site A (1 x LAN and 2 x openvpn server) that are added as P2 IPsec:
LAN: local 192.168.0.0/24 - BINAT 10.201.0.0/16 - remote 10.0.1.0/24
OVPN: local 192.168.200.0/24 - BINAT 10.201.0.0/16 - remote 10.0.1.0/24
OVPN2: local 192.168.201.0/24 - BINAT 10.201.0.0/16 - remote 10.0.1.0/24Logging in via SSH to pfsense, going into shell and running these commands gives me positive results:
ping -S 192.168.0.200 10.0.1.93
ping -S 192.168.200.1 10.0.1.93
ping -S 192.168.201.1 10.0.1.93But, as you imagine, I can only directly ping 10.0.1.93 from our LAN computers. Any road warriors openvpn clients have zero success.
I have tried adding "push route 10.0.1.10 255.255.255.0" to openvpn client config but also no love.My "half educated" guess is this kinda route is not possible due to the NAT 10.201.0.0 subnet. So I also added "push route 10.201.0.0 255.255.0.0". With this route road warriors are able to ping 10.201.0.0 but again no luck with 10.0.1.93
Any tips much appriciated!
-
@dare_v
The NAT should not be the problem for accessing the remote site from the road warrior basically.
However, you should set a /24 NAT subnet out of 10.201.0.0/16 for each of your /24 networks to achieve correct routing.And your push command seems to be wrong. Instead of adding that into the advanced options, simply add 10.0.1.0/24 to the "IPv4 local networks" in the OpenVPN server settings.
-
@viragomann Wow thanks man, that did the job!!!
-
Since ipsec traffic goes throw our main server, we are getting occasional bandwidth issues. I have to limit its speed.
Is there a way to limit traffic on the IPsec itself, or I have to limit the subnets?
-
Turns out this is not related to high traffic via IPsec.
As it seems, this is related to ipsec tunnel only able to keep up 2 childs from 3 total. So at a givem time only 2 childs are operatable. If a new request from client comes that is routed via 3rd child, one of 2 active CAs gets disconnected and connections are lost.
Is this settings related, have I set something wrong, cant find anything related...