Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pass traffic from OpenVPN client to IPSec site-to-site TUnnel

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 3 Posters 518 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      travis.fleming
      last edited by

      Hello,
      We use tunnelblick on a MAC to terminate a client OpenVPN VPN session to our headend pfsense. We are then creating an IPSec site-to-site tunnel to each of our downstream Palo Alto branch offices. How do I get traffic to pass from the OpenVPN client, to go down the IPSec tunnel? I've made rules in the IPSec interface to allow traffic sourcing from our OpenVPN VPN subnet to any on any port, but I cannot ping. If I do a packet capture on the pfsense for the OpenVPN interface I see the ping requests, but if I do a packet capture on the IPSec interface I do not see it there.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @travis.fleming
        last edited by

        @travis-fleming
        You have to add a phase 2 in IPSec to connect the OpenVPN tunnel network with the remote network.
        Remember to add the tunnel also on the remote site.

        T 1 Reply Last reply Reply Quote 0
        • T
          travis.fleming @viragomann
          last edited by

          @viragomann So you are saying add an additional phase 2 in my IPSec tunnel to connect the OpenVPN network?

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Yes, exactly. The phase 2 policy has to match the traffic and here that would be from the OpenVPN tunnel subnet to the remote site subnet. The current P2 doesn't cover that so you need to add one that does, at both ends. Or expand the existing P2 subnet to include it. That may not be possible with your numbering scheme.

            Steve

            T 1 Reply Last reply Reply Quote 0
            • T
              travis.fleming @stephenw10
              last edited by

              @stephenw10 This worked thanks guys!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.