Communication VPN IPsec and OpenVPN
-
Hi guys,
I have an IPsec VPN (Site-to-Site) with a client and my LAN (192.168.16.0/24) is communicating perfectly with the client's LAN (10.203.160.0/22)
I also have a VPN with OpenVPN (Client-to-site), configured on the 172.16.16.0/24 network, which is used by employees who are working at home. It is communicating normally with my LAN.
Would it be possible to make the 172.16.16.0/24 network (OpenVPN) communicate with the 10.203.160.0/22 network (customer's LAN)?
I imagine that adding a second Phase2 communicating the 2 networks (OpenVPN and client lan) should resolve the issue, however the client is a little resistant in registering the second phase2.
Is there any other way for me to try this communication?Thanks in advance.
-
@leoescarpellin said in Communication VPN IPsec and OpenVPN:
I imagine that adding a second Phase2 communicating the 2 networks (OpenVPN and client lan) should resolve the issue, however the client is a little resistant in registering the second phase2.
Is there any other way for me to try this communication?So you have to translate the roadwarrior VPN IPs into ones which are covered by the actual phase 2.
How to do this is discribed in the docs in NAT with IPsec Phase 2 Networks.If there is enough space in your phase 2 to include the OpenVPN tunnel network, you can use BINAT. Maybe you can shrink the vpn subnet. Otherwise you can go with PAT by simply pick an used IP of your local network wich is used by any vpn user then.
-
@viragomann said in Communication VPN IPsec and OpenVPN:
k an used IP of your local network wich is used by any vpn user then.
Ty @viragomann,
I will check the link, study about it and then try it in production.
I return with the results of the tests.
-
Stop thinking of IPSec vs OpenVPN. Both are just methods to provide an IP connection between 2 points. As such, when the VPNs are up, it's just a matter of routing and rules as to whether traffic can pass between them, just like any other IP connection. Of course, you'll have to ensure network addresses don't collide (the NAT curse strikes again).