• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN/IPSec tunnel routing

Scheduled Pinned Locked Moved OpenVPN
8 Posts 4 Posters 6.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jim.kane
    last edited by Dec 21, 2010, 8:00 PM

    We use PFSense firewalls at three installations with the following LAN networks:

    1.) Datacenter #1: 10.0.0.0/16 2.) Datacenter #2: 10.1.0.0/16 3.) HQ: 10.2.0.0/16

    All of these locations are linked via an IPSEC tunnel that works properly. Hosts in any of the above networks can communicate with hosts in any other of the above networks.

    Now, for our laptops etc. we established a road warrior network 10.3.0.0/16 and have implemented OpenVPN to link the laptops etc. to Datacenter #1. This works great too, so our laptops can connect and communicate with any host in Datacenter #1 (anything on 10.0.0.0/16)

    The problem is the laptops can't communicate with any hosts that Datacenter #1 can reach by its IPSEC tunnel to Datacenter #2 (and/or the HQ for that matter).

    Does anyone know what to do configuration wise on the PFSense box in Datacenter #1 to configure to route packets received on the OpenVPN tunnel to Datacenter #2 over the IPSEC tunnel? It could be a setting on the OpenVPN or some sort of static route or some such.

    Any ideas?

    PS:  We want the laptops etc. to only have one OpenVPN connection (not a VPN connection to each Datacenter/HQ)

    1 Reply Last reply Reply Quote 0
    • C
      Cry Havok
      last edited by Dec 21, 2010, 8:49 PM

      Does the pfSense box know how to route to those other networks?  Do those other networks know how to route back to the 10.3.0.0/16 network?

      1 Reply Last reply Reply Quote 0
      • J
        jim.kane
        last edited by Dec 21, 2010, 8:51 PM

        The PFSense box in Datacenter #1 knows how to route to the other networks.

        The other networks don't know to route 10.3.0.0/16 back to the Datacenter #1 pfsense box.

        How would that be implemented?

        1 Reply Last reply Reply Quote 0
        • C
          Cry Havok
          last edited by Dec 21, 2010, 9:13 PM

          Insert appropriate static routes on the default gateways of those networks.

          Note that this isn't specific to your use of a VPN, this is just basic networking.

          1 Reply Last reply Reply Quote 0
          • J
            jim.kane
            last edited by Dec 21, 2010, 9:47 PM

            I had previously tried that and it did not work (which is what led met to conclude it was some sort of VPN related issue).

            What I did is implement a static route in Datacenter #2:

            The route was 10.3.0.0/16 (the RoadWarrior network) to 10.0.0.1 (the CARP IP of DataCenter #1 firewall).

            PFSense seemd to just ignore the static route and seemed to try and reach 10.0.0.1 via the WAN (without going through the IPSec tunnel).  Any ideas?

            1 Reply Last reply Reply Quote 0
            • C
              Cry Havok
              last edited by Dec 21, 2010, 10:26 PM

              I think you need to provide some diagrams, and outputs of the routing tables. If you can correctly reach 10.0.0.1 via the VPN and you've correctly set up the static route it should connect over the VPN.

              1 Reply Last reply Reply Quote 0
              • N
                notladstyle
                last edited by Dec 23, 2010, 7:02 AM

                static routes set thru the GUI apply only to the LAN-WAN mapping. They will not route through the IPSEC tunnel.

                In order to route traffic back you will have to enlarge the scope of the IPSEC remote subnet to include the mobile client subnet OR create a new SPD which uses the mobile client subnet.

                1 Reply Last reply Reply Quote 0
                • J
                  jimp Rebel Alliance Developer Netgate
                  last edited by Dec 27, 2010, 1:40 PM

                  To do this in 1.2.x could get messy, it would be much easier in 2.0.

                  Let's say you have your networks, 1, 2, HQ, and RW.

                  RW's OpenVPN needs routes pushed for the networks at 1, 2, and HQ
                  IPsec between 1 and 2 needs an IPsec phase 2 entry for 1<=>2 and RW<=>2
                  IPsec between 1 and HQ needs an IPsec phase 2 entry for 1<=>HQ and RW<=>HQ

                  You can use parallel IPsec tunnels in 1.2.x but some have had issues making that work. In 2.0 it's as easy as adding another Phase 2 entry to the IPsec tunnel.

                  If these are all pfSense, it would be much easier to ditch IPsec in favor of site-to-site shared key OpenVPN tunnels for the VPNs between 1, 2, and HQ. Then it would be as easy as adding the right route statements on each leg and it would all just work.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  8 out of 8
                  • First post
                    8/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received