Route OpenVPN Traffic via IPSEC to Remote Subnet
-
Hi all!
I have issues to setup a proper Site-to-Site VPN Network. The VPN is showing as connected on both devices but not all devices can reach to all networks. The local network on both sites can speak to each other without issues.
But on the pfSense network I have an open vpn server running and devices connecting via open vpn can not access services hosted on ubiquiti usg devices connected in 192.168.2.0/24.
Local Lan - USG
lan: 192.168.2.0/24Remote Lan - pfSense
lan: 192.168.137.0/24
openvpn client network: 192.168.136.0/24This is my debugging scenario:
I am performing a ping requeset from openvpn client behind remote lan to 192.168.2.250 a computer on the local lan.
On the pfSense I can see incoming traffic on openvpn interface via traffic capture. But I cant see outgoing traffic on ipsec device.Comparison: If I am performing a ping from a computer in lan 192.168.137.30 i can see outgoing traffic on ipsec.
This is why I am focussing on my firewall rules at the moment. I double checked Firewall -> Rules -> OpenVPN. I created for debugging a very open rule and a very specific rule and enabled logging. But seems like both rules do not catch for this traffic.
I am looking forward for any kind of hint what I am missing here our where I cloud start debugging this issue.
Thanks mate!
Roberto -
Hi all!
I just want to make my setup more clear.
Here some kind of diagrammWorking fine
192.168.2.250 <-> usg <----ipsec----> pfsense <-> 192.168.137.10 (lan)Not Working
192.168.2.250 <-> usg <----ipsec----> pfsense <-> 192.168.136.2 (openvpn)Thanks in advance for your issues!
-
@operaiter said in Route OpenVPN Traffic via IPSEC to Remote Subnet:
I am performing a ping requeset from openvpn client behind remote lan to 192.168.2.250 a computer on the local lan.
On the pfSense I can see incoming traffic on openvpn interface via traffic capture. But I cant see outgoing traffic on ipsec device.Consider the the OpenVPN client is within another subnet.
You have to add a phase 2 in IPSec to connect the OpenVPN access servers tunnel network and the local lan.Additionally in the OpenVPN server settings you have to add the local lan to the "IPv4 Local Network/s" to push the route to the clients.
-
Hi viragomann! First of all thanks for your reply.
@viragomann said in Route OpenVPN Traffic via IPSEC to Remote Subnet:
Additionally in the OpenVPN server settings you have to add the local lan to the "IPv4 Local Network/s" to push the route to the clients.
Awww!
I have added all additionally subnets to "Custom options"
push "route 192.168.137.0 255.255.255.0";push "route 192.168.122.0 255.255.255.0";push "route 192.168.138.0 255.255.255.0";push "route 192.168.2.0 255.255.255.0";
Are there any pro / cons by using one or either?In both ways it seems i got the correct route pushed to my client device. But still no traffic on the ipsec interface.
@viragomann said in Route OpenVPN Traffic via IPSEC to Remote Subnet:
You have to add a phase 2 in IPSec to connect the OpenVPN access servers tunnel network and the local lan.
Do I have to add this phase 2 in the pfSense? Or on the ubiquiti usg device?
Currently on my pfsense I have just one P2 configured. (192.168.2.0/24 via local lan)
On my USG I have to "remote networks" configured 192.168.137/24 and 192.168.136/24 which I am expecting should create something like two P2 entries.
Or did I misunderstood you? Do i need an additionally entry on the pfSense ? -
@operaiter said in Route OpenVPN Traffic via IPSEC to Remote Subnet:
push "route 192.168.137.0 255.255.255.0";push "route 192.168.122.0 255.255.255.0";push "route 192.168.138.0 255.255.255.0";push "route 192.168.2.0 255.255.255.0";
Are there any pro / cons by using one or either?No, as long as the subnets are not conflicting, there are no issues when adding multiple.
Do I have to add this phase 2 in the pfSense? Or on the ubiquiti usg device?
Phase 2 have ever be configured on both vpn endpoints.
I don't know the USG, but "remote networks" seems to be the correct setting for that.
-
@viragomann said in Route OpenVPN Traffic via IPSEC to Remote Subnet:
@operaiter said in Route OpenVPN Traffic via IPSEC to Remote Subnet:
Do I have to add this phase 2 in the pfSense? Or on the ubiquiti usg device?
Phase 2 have ever be configured on both vpn endpoints.
Well...
now I got it worked! Now iI feel stupid ... this was an easy win!
Thank you so much!!! -
- VPN type is irrelevant. You're just setting up two IP routes, nothing more.
- Have you enabled routing between the 2 sites? If you haven't set up appropriate routes from the 2 LANs and through pfsense, you will not be able to connect.