Wish to put together some ideas..

  • Hi Everyone,

    To me, and I'm sure some others here, linking a "Road Warrior" OpenVPN network to a multi-site IPSEC network is important. This has many uses especially in geographically disverse enterprises where road warriors need access to the entire diverse network.

    I have come to learn that IPSEC tunnels are very much "subnet" specific (Unlike OpenVPN tunnels, which will route any subnet they can).

    I found this posting: http://forum.pfsense.org/index.php/topic,3416.0.html and I feel it is important to give some possible solutions to the problem.

    I wish to gather some ideas from people here, as I'm sure others have implemented a similar setup. Maybe I can work on a "tutorial" page that could go in the wiki or as a sticky, on how to "bridge" an OpenVPN network to an IPSEC network. The ideas I have so far are:

    1. Create another IPSEC tunnel between the OpenVPN endpoint and the remote IPSEC enpoint(s) which has the OpenVPN subnet in it's config (Would this work?) and simply use OpenVPN "push" to push the route to the clients
    2. Install a squid proxy server which is able to access the remote ipsec subnets (Would only work for web applications, but sometimes this is enough)
    3. Install an application specific "front-end" server, which is able to access the "back-end" server in the remote IPSEC subnet
    4. Use OpenVPN bridging instead of routed mode

    I havn't tested any of the above, but before I do, I'm sure someone will be able to point out some flaws in my "plan"


  • To me it seems like your #1 idea sounds fine. As long as IPSec has a tunnel with an endpoint of a specific subnet, it will send the data there.

  • Rebel Alliance Developer Netgate

    If OpenVPN and IPsec both terminate in the same router, then adding another IPsec subnet for the OpenVPN clients is the way to go. That's probably the best way, to be honest.

    If OpenVPN comes into a different router than IPsec, you can also pull some fun NAT trickery that would NAT the OpenVPN clients to an IP on the OpenVPN router's LAN, so it would appear to originate from within that LAN, and route properly with no alterations to the IPsec tunnels.

  • Hypothetically, if the OpenVPN connected terminated on a different machine, is there any way to direct route over the VPN without using NAT? I understand that I would of course have to create a new tunnel for IPSEC which support the OpenVPN subnet

  • Rebel Alliance Developer Netgate

    Sure you can. You'd just need a static route on the OpenVPN router that directs traffic for the IPsec subnets at the IPsec router, and a static route on the IPsec router that points traffic for the OpenVPN subnet back at the OpenVPN router.

Log in to reply