• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Route OpenVPN Traffic via IPSEC to Remote Subnet

Scheduled Pinned Locked Moved Firewalling
7 Posts 3 Posters 1.3k Views 3 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • O Offline
    operaiter
    last edited by Nov 10, 2021, 3:10 PM

    Hi all!

    I have issues to setup a proper Site-to-Site VPN Network. The VPN is showing as connected on both devices but not all devices can reach to all networks. The local network on both sites can speak to each other without issues.

    But on the pfSense network I have an open vpn server running and devices connecting via open vpn can not access services hosted on ubiquiti usg devices connected in 192.168.2.0/24.

    Local Lan - USG
    lan: 192.168.2.0/24

    Remote Lan - pfSense
    lan: 192.168.137.0/24
    openvpn client network: 192.168.136.0/24

    This is my debugging scenario:
    I am performing a ping requeset from openvpn client behind remote lan to 192.168.2.250 a computer on the local lan.
    On the pfSense I can see incoming traffic on openvpn interface via traffic capture. But I cant see outgoing traffic on ipsec device.

    Comparison: If I am performing a ping from a computer in lan 192.168.137.30 i can see outgoing traffic on ipsec.

    This is why I am focussing on my firewall rules at the moment. I double checked Firewall -> Rules -> OpenVPN. I created for debugging a very open rule and a very specific rule and enabled logging. But seems like both rules do not catch for this traffic.

    I am looking forward for any kind of hint what I am missing here our where I cloud start debugging this issue.

    Thanks mate!
    Roberto

    V J 2 Replies Last reply Nov 10, 2021, 4:51 PM Reply Quote 0
    • O Offline
      operaiter
      last edited by Nov 10, 2021, 4:24 PM

      Hi all!
      I just want to make my setup more clear.
      Here some kind of diagramm

      Working fine
      192.168.2.250 <-> usg <----ipsec----> pfsense <-> 192.168.137.10 (lan)

      Not Working
      192.168.2.250 <-> usg <----ipsec----> pfsense <-> 192.168.136.2 (openvpn)

      Thanks in advance for your issues!

      1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann @operaiter
        last edited by Nov 10, 2021, 4:51 PM

        @operaiter said in Route OpenVPN Traffic via IPSEC to Remote Subnet:

        I am performing a ping requeset from openvpn client behind remote lan to 192.168.2.250 a computer on the local lan.
        On the pfSense I can see incoming traffic on openvpn interface via traffic capture. But I cant see outgoing traffic on ipsec device.

        Consider the the OpenVPN client is within another subnet.
        You have to add a phase 2 in IPSec to connect the OpenVPN access servers tunnel network and the local lan.

        Additionally in the OpenVPN server settings you have to add the local lan to the "IPv4 Local Network/s" to push the route to the clients.

        O 1 Reply Last reply Nov 10, 2021, 5:16 PM Reply Quote 0
        • O Offline
          operaiter @viragomann
          last edited by Nov 10, 2021, 5:16 PM

          Hi viragomann! First of all thanks for your reply.

          @viragomann said in Route OpenVPN Traffic via IPSEC to Remote Subnet:

          Additionally in the OpenVPN server settings you have to add the local lan to the "IPv4 Local Network/s" to push the route to the clients.

          Awww!
          I have added all additionally subnets to "Custom options"
          push "route 192.168.137.0 255.255.255.0";push "route 192.168.122.0 255.255.255.0";push "route 192.168.138.0 255.255.255.0";push "route 192.168.2.0 255.255.255.0";
          Are there any pro / cons by using one or either?

          In both ways it seems i got the correct route pushed to my client device. But still no traffic on the ipsec interface.

          @viragomann said in Route OpenVPN Traffic via IPSEC to Remote Subnet:

          You have to add a phase 2 in IPSec to connect the OpenVPN access servers tunnel network and the local lan.

          Do I have to add this phase 2 in the pfSense? Or on the ubiquiti usg device?
          Currently on my pfsense I have just one P2 configured. (192.168.2.0/24 via local lan)
          On my USG I have to "remote networks" configured 192.168.137/24 and 192.168.136/24 which I am expecting should create something like two P2 entries.
          Or did I misunderstood you? Do i need an additionally entry on the pfSense ?

          V 1 Reply Last reply Nov 10, 2021, 5:31 PM Reply Quote 0
          • V Offline
            viragomann @operaiter
            last edited by Nov 10, 2021, 5:31 PM

            @operaiter said in Route OpenVPN Traffic via IPSEC to Remote Subnet:

            push "route 192.168.137.0 255.255.255.0";push "route 192.168.122.0 255.255.255.0";push "route 192.168.138.0 255.255.255.0";push "route 192.168.2.0 255.255.255.0";
            Are there any pro / cons by using one or either?

            No, as long as the subnets are not conflicting, there are no issues when adding multiple.

            Do I have to add this phase 2 in the pfSense? Or on the ubiquiti usg device?

            Phase 2 have ever be configured on both vpn endpoints.

            I don't know the USG, but "remote networks" seems to be the correct setting for that.

            O 1 Reply Last reply Nov 10, 2021, 5:40 PM Reply Quote 0
            • O Offline
              operaiter @viragomann
              last edited by Nov 10, 2021, 5:40 PM

              @viragomann said in Route OpenVPN Traffic via IPSEC to Remote Subnet:

              @operaiter said in Route OpenVPN Traffic via IPSEC to Remote Subnet:

              Do I have to add this phase 2 in the pfSense? Or on the ubiquiti usg device?

              Phase 2 have ever be configured on both vpn endpoints.

              Well...
              now I got it worked! Now iI feel stupid ... this was an easy win!
              Thank you so much!!!

              1 Reply Last reply Reply Quote 0
              • J Offline
                JKnott @operaiter
                last edited by Nov 10, 2021, 7:11 PM

                @operaiter

                1. VPN type is irrelevant. You're just setting up two IP routes, nothing more.
                2. Have you enabled routing between the 2 sites? If you haven't set up appropriate routes from the 2 LANs and through pfsense, you will not be able to connect.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                7 out of 7
                • First post
                  7/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received