Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Open VPN clients unable to connect to IPSec site-to-site resources

    Scheduled Pinned Locked Moved OpenVPN
    18 Posts 2 Posters 1.6k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V Offline
      viragomann @kwriley87
      last edited by

      @kwriley87
      Should work from the point of routing.
      Ensure that you have firewall rules in place on all involved interfaces which allow the access.
      Also ensure that the destination device allow the access.

      K 1 Reply Last reply Reply Quote 0
      • K Offline
        kwriley87 @viragomann
        last edited by

        @viragomann Which firewall rules, specifically do I need? Apologies if this is something basic I'm not understanding.

        V 1 Reply Last reply Reply Quote 0
        • V Offline
          viragomann @kwriley87
          last edited by

          @kwriley87
          Yeah, firewalling seems basic, as you're running already different VPN instances on pfSense.

          On the the OpenVPN tab you at A and on the IPSec tab at B you need proper rules to allow access from the VPN tunnel network.

          K 1 Reply Last reply Reply Quote 0
          • K Offline
            kwriley87 @viragomann
            last edited by

            @viragomann

            The OpenVPN tab on Site A looks to already have the rules in place to allow all traffic, unless I'm missing something:
            https://pasteboard.co/KfgHjhE.png

            And from Site B, the IPSec tab:
            https://pasteboard.co/KfgHCUJ.png

            V 1 Reply Last reply Reply Quote 0
            • V Offline
              viragomann @kwriley87
              last edited by

              @kwriley87
              Should actually work with these settigs.
              Ensure that the destination device does not block the access.

              To troubleshoot sniff the packets on the involved interfaces while you ping from an OpenVPN client. If the firewalls are well configured, you should see them on A's OpenVPN and IPSec interface and on B's IPSec and LAN.

              K 1 Reply Last reply Reply Quote 0
              • K Offline
                kwriley87 @viragomann
                last edited by

                @viragomann

                I'm testing by pinging Site B firewall from OVPN client.

                I see the ICMP traffic on A's OVPN interface:
                12:41:08.215283 IP 192.168.200.2 > 192.168.5.1: ICMP echo request, id 13, seq 63781, length 40

                But I see no ICMP traffic on A's IPSec interface.
                From B, I see no ICMP traffic on either the IPSec interface, nor the LAN interface as well.

                I have to say, I'm stumped.. I have added the proper rules to allow all traffic on site A OVPN tab and site B IPSec tab as my screenshots in my previous posting shows.

                Clearly, something is wrong here but I really don't know what it could be at this point..

                V 1 Reply Last reply Reply Quote 0
                • V Offline
                  viragomann @kwriley87
                  last edited by

                  @kwriley87
                  Do you see the correct IPSec tunnels in Status > IPsec > SPDs on both sites?

                  The settigns seems to be correct.

                  Maybe a reboot helps to get it up.

                  K 1 Reply Last reply Reply Quote 0
                  • K Offline
                    kwriley87 @viragomann
                    last edited by

                    @viragomann I see the IPSec tunnel active on both ends and can ping back and forth between sites so that appears to be functional.

                    I'm just unable to ping to site B from OVPN clients.

                    I guess I'll schedule a reboot of both firewalls afterhours and see if that does the trick.. Thank you for your help.

                    V 1 Reply Last reply Reply Quote 0
                    • V Offline
                      viragomann @kwriley87
                      last edited by

                      @kwriley87 said in Open VPN clients unable to connect to IPSec site-to-site resources:

                      I see the IPSec tunnel active on both ends and can ping back and forth between sites so that appears to be functional.

                      There must be to tunnels. One for the LANs and one for the OpenVPN and site B' LAN.

                      And also in Status > IPsec > Overview both have to be displayed as connected.

                      K 1 Reply Last reply Reply Quote 0
                      • K Offline
                        kwriley87 @viragomann
                        last edited by

                        @viragomann I believe I have this set up how it should be but if I'm doing it wrong please let me know. Apologies for such a long thread here.

                        Site A IPSec Setup:
                        https://pasteboard.co/KfhoLyz.png

                        Site B IPSec Setup:
                        https://pasteboard.co/Kfhp2BV.png

                        IPSec Status Site A:
                        https://pasteboard.co/Kfhpo2r.png

                        IPSec Status Site B:
                        https://pasteboard.co/KfhpOnf.png

                        V 1 Reply Last reply Reply Quote 0
                        • V Offline
                          viragomann @kwriley87
                          last edited by

                          @kwriley87
                          The status screens don't show any tunnel.
                          Press this button to display them:
                          ab63f1db-3c1a-410d-a1a3-7e9f6c6c527f-image.png

                          K 1 Reply Last reply Reply Quote 0
                          • K Offline
                            kwriley87 @viragomann
                            last edited by kwriley87

                            @viragomann My apologies, I'm only seeing the tunnel connecting the LANs together..

                            Site A:
                            https://pasteboard.co/KfhF6zJ.png

                            Site B:
                            https://pasteboard.co/KfhFuMv.png

                            To be clear, if I look at my IPSec tunnels on Site A, there is only 1 Phase 1 tunnel set up, but 2 Phase 2 tunnels (one for Site A LAN to Site B LAN and one for OVPN LAN to Site B LAN):
                            https://pasteboard.co/KfhG7AH.png

                            Does that look right?

                            V 1 Reply Last reply Reply Quote 0
                            • V Offline
                              viragomann @kwriley87
                              last edited by

                              @kwriley87 said in Open VPN clients unable to connect to IPSec site-to-site resources:

                              To be clear, if I look at my IPSec tunnels on Site A, there is only 1 Phase 1 tunnel set up, but 2 Phase 2 tunnels (one for Site A LAN to Site B LAN and one for OVPN LAN to Site B LAN):
                              https://pasteboard.co/KfhG7AH.png

                              Yes, this is ok. And at B you should have the same, but with inverted networks.

                              The tunnel might go down if it's idle. You have to initiate traffic to get it up.
                              If not, check the IPSec log for hints.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.