OpenVPN Traffic to IPsec sites
I have some IPsec site-to-site vpn tunnels and using OpenVPN for remote access.
OpenVPN should enable Users to access destinations behind IPsec tunnels.
I have configured additional ipsec phase2 with the openvpn pool ip as local sourcen and binat to a virtual adress.
it seems that since upgrade to 2.5.x this is not working anymore... at the moment I can not ping a destination over the tunnels. OpenVPNClient (Route all traffic to Tunnel) -> PFsense OpenVPN Server -> IPSEC -> Remote Site IPsec gateway -> target Subnet
anyone else with this issue?
What did you upgrade from?
That should work in 2.5.2 though. Do you see the additional P2s established?
Do you see the traffic counters increasing when you try to send traffic across them?
@stephenw10 I used 2.4.5 before.
the additional P2 are not coming up, but there are no erros or such stuff in the ipsec log.
i have hits on the firewall rule.... it seems the traffic is not routet from openvpn in to the ipsec tunnel or in its direction to establish it
You see traffic blocked in the firewall log? What is blocked and where?
If the P2 isn't eve trying to come up then the IPSec daemon isn't seeing the interesting traffic.
sorry for the delay in my answer. I was not able to perform some further tests until now.
here some details about my setup:
Internal Network: 192.168.5.0/24
OpenVPN Client Pool: 192.168.250.0/24
Remote IPsec Subnet: 172.22.65.0/24
I have two VPN Phase 2 on the pfsense
one for local network 192.168.5.0/24 and an other for local network 192.168.250.0/24
both using the same BINAT source address 10.66.66.66
on the remote site I use the BINAT as remote network.
I have around 26 of these phase 2 connections. at the moment it seems that just one of them is "accepting" traffic from openvpn clients.
I've rebooted the pfsense box on my side and now it works.... thats realy not what I've expected :-)
Hmm, no not what I would expect either. You might have a tunnel that can only establish from one direction maybe. Or perhaps an incorrect state still open.
I had the "firewall optimization options" set to "conservative" and changed this now back to "normal".