OpenVPN software client into IPSEC VPN multi site network not routing

shadokin · Dec 6, 2010, 9:03 PM

I have been digging high and wide to not ask the same question twice but can't seem to find anything so forgive me if this was asked elsewhere.

My setup is fairly simple, I have PFSence 1.2.3 in three locations, site A is the main site, sites B and C are offices connected via IPSEC vpn within PFsense. I currently have PPTP into site A which works great, it routes all networks of B and C and resolves DNS and everything just fine. However my OpenVPN clients going into site A only see the A sites LAN network and not Sites B and C's LAN networks. I have tried everything from static routes in PFsense, static routes on the OpenVPN client machines and other things but nothing seems to work. All firewall rules right now are any:any on the IPsec/PPTP side so I am pretty sure it's not that. Here is a bit more in depth view:

Site A
LAN: 172.16.0.0/16
LAN GW: 172.16.0.1

Site B
LAN: 192.168.20.0/24
LAN GW: 192.168.20.1

Site C
LAN 10.10.10.0/24
LAN GW: 10.10.10.1

Thank you in advance for any help!

jimp · Dec 7, 2010, 3:42 PM

IPsec does not obey routing. You'd have to also have your OpenVPN subnet included in the IPsec tunnel definitions so that the tunnels from A to B and C know to allow the traffic, and also so B and C know how to get the traffic for the VPN subnet back to A.

It would be trivial to do this with OpenVPN, you just add another route statement on B and C. For IPsec, there isn't a really simple way but it can be done. The easiest would be for you to put your OpenVPN clients into 172.17.0.x and change your IPsec tunnels to use 172.16.0.0/15 all around.

Also note: In 2.0 you could simply add another phase 2 entry to each tunnel for the VPN subnet.

shadokin · Dec 7, 2010, 4:04 PM

Thank you for the reply, I think I understand what your saying. So by changing my IPSEC VPNs to use 172.16.0.0/15 as the local subnet, and then assign 172.17.0.0/24 as my Address Pool for the OpenVPN clients at Site A, the routes would be created to B and C via the IPSEC tunnels and it would allow traffic both to and from B and C when OpenVPN'n into A as a client. Sound about right?

Side question: Would NAT-T in 2.0 help me in this situation?

Thanks again!

jimp · Dec 7, 2010, 5:09 PM

That's right.

As for NAT-T, no, that's not what it's for. That is for if your IPsec mobile/remote clients are behind a NAT router.

shadokin · Dec 7, 2010, 5:43 PM

Great thanks again, going to try this tonight :)

shadokin · Dec 8, 2010, 3:05 AM

Thanks this worked for the most part, I changed the OpenVPN client address pool to 172.17.255.0/25 and I did have to do a route push in the form of….....

push "route 192.168.20.0 255.255.255.0 172.17.255.5";push "route 10.10.10.0 255.255.255.0 172.17.255.5"

....in the OpenVPN Client-Specific configuration but other then that, works like a champ :)

Thanks mate!