Site to Site Hub Spoke OpenVPN with IPSec
-
I have an odd setup that I am trying to make work.
Head Office is running a SonicWall unit - Static Public IP
Remote Office is running PfSense 2.7 - Static Public IP
At the remote office is a temporary building, separate to the main office [Remote Site Office]. Due to this, there is a separate PfSense instance running over LTE with a Carrier NAT IP. Due to the 4G modem, this is double NAT.IPSec tunnel between Head Office and Remote Office is up and running without issue. I am not able to get an IPSec tunnel up between the Remote Site Office and Head Office.
SonicWall at head office does not support OpenVPN.
I am trying to establish an OpenVPN tunnel from the Remote Site office to the Remote Office [this is up and running and working]. Across this tunnel I would like the Remote Site Office client machines to be able to get traffic flow between themselves and the Head Office network.
Head Office - 10.200.1.0/24
Remote Office - 10.20.1.0/24
Remote Site Office - 10.30.1.0/24I am not having any luck in getting clients on 10.30.1.0/24 to be able to route traffic to 10.200.1.0/24. I cannot even get pings to travel between the firewalls.
Traffic between 10.20.1.0 to 10.200.1.0 and between 10.20.1.0 and 10.30.1.0 is unhindered. I just need to be able to bridge the 2 segments.
It is sort of Hub and Spoke, but I am crossing from an OpenVPN tunnel into an IPSec tunnel.
Is there a way to do this?
Matthew
-
Turns out I may have been able to answer my own question here.
With some help from this post [which seemed to only show up in my searching after I raised this topic]
https://forum.netgate.com/topic/74351/routing-openvpn-traffic-through-specific-ipsec-tunnels/3
I have been able to get the traffic to flow between the network segments. I will do some further testing to ensure everything is right in the next few hours.
Tentatively, the resolution has been to:
- Add to the OpenVPN Server [Remote Office] Advanced Config push "route 10.200.1.0 255.255.255.0"
- Create 2 new phase 2 entries between Head Office and Remote Office
a. 10.200.1.0/24 to 10.30.1.0/24
b. 10.200.1.0 to 10.0.8.0/24 [openVPN subnet]
Once I did this, pings have been able to make their way from remote site office to head office. I'll update if any further issues arise.
Matthew
-
@mcit said in Site to Site Hub Spoke OpenVPN with IPSec:
Across this tunnel I would like the Remote Site Office client machines to be able to get traffic flow between themselves and the Head Office network.
This is a routing issue. The remote devices need a route to the head office. This would typically be handled by the remote office, with the client using it for the default route. Also, make sure no firewall rules are in the way.
-
@JKnott Thank you. I believe I have been able to resolve this. The solution was to push a route via OpenVPN along with having additional phase2 IP routes specified.
I did not set the default route for the Remote Site Office to use the Remote Office as I wanted general internet traffic to avoid the VPN.
So far, this appears to be working as required.
Matthew