OpenVPN/IPSec tunnel routing

jim.kane · Dec 21, 2010, 8:00 PM

We use PFSense firewalls at three installations with the following LAN networks:

1.) Datacenter #1: 10.0.0.0/16 2.) Datacenter #2: 10.1.0.0/16 3.) HQ: 10.2.0.0/16

All of these locations are linked via an IPSEC tunnel that works properly. Hosts in any of the above networks can communicate with hosts in any other of the above networks.

Now, for our laptops etc. we established a road warrior network 10.3.0.0/16 and have implemented OpenVPN to link the laptops etc. to Datacenter #1. This works great too, so our laptops can connect and communicate with any host in Datacenter #1 (anything on 10.0.0.0/16)

The problem is the laptops can't communicate with any hosts that Datacenter #1 can reach by its IPSEC tunnel to Datacenter #2 (and/or the HQ for that matter).

Does anyone know what to do configuration wise on the PFSense box in Datacenter #1 to configure to route packets received on the OpenVPN tunnel to Datacenter #2 over the IPSEC tunnel? It could be a setting on the OpenVPN or some sort of static route or some such.

Any ideas?

PS: We want the laptops etc. to only have one OpenVPN connection (not a VPN connection to each Datacenter/HQ)

Cry Havok · Dec 21, 2010, 8:49 PM

Does the pfSense box know how to route to those other networks? Do those other networks know how to route back to the 10.3.0.0/16 network?

jim.kane · Dec 21, 2010, 8:51 PM

The PFSense box in Datacenter #1 knows how to route to the other networks.

The other networks don't know to route 10.3.0.0/16 back to the Datacenter #1 pfsense box.

How would that be implemented?

Cry Havok · Dec 21, 2010, 9:13 PM

Insert appropriate static routes on the default gateways of those networks.

Note that this isn't specific to your use of a VPN, this is just basic networking.

jim.kane · Dec 21, 2010, 9:47 PM

I had previously tried that and it did not work (which is what led met to conclude it was some sort of VPN related issue).

What I did is implement a static route in Datacenter #2:

The route was 10.3.0.0/16 (the RoadWarrior network) to 10.0.0.1 (the CARP IP of DataCenter #1 firewall).

PFSense seemd to just ignore the static route and seemed to try and reach 10.0.0.1 via the WAN (without going through the IPSec tunnel). Any ideas?

Cry Havok · Dec 21, 2010, 10:26 PM

I think you need to provide some diagrams, and outputs of the routing tables. If you can correctly reach 10.0.0.1 via the VPN and you've correctly set up the static route it should connect over the VPN.

notladstyle · Dec 23, 2010, 7:02 AM

static routes set thru the GUI apply only to the LAN-WAN mapping. They will not route through the IPSEC tunnel.

In order to route traffic back you will have to enlarge the scope of the IPSEC remote subnet to include the mobile client subnet OR create a new SPD which uses the mobile client subnet.

jimp · Dec 27, 2010, 1:40 PM

To do this in 1.2.x could get messy, it would be much easier in 2.0.

Let's say you have your networks, 1, 2, HQ, and RW.

RW's OpenVPN needs routes pushed for the networks at 1, 2, and HQ
IPsec between 1 and 2 needs an IPsec phase 2 entry for 1<=>2 and RW<=>2
IPsec between 1 and HQ needs an IPsec phase 2 entry for 1<=>HQ and RW<=>HQ

You can use parallel IPsec tunnels in 1.2.x but some have had issues making that work. In 2.0 it's as easy as adding another Phase 2 entry to the IPsec tunnel.

If these are all pfSense, it would be much easier to ditch IPsec in favor of site-to-site shared key OpenVPN tunnels for the VPNs between 1, 2, and HQ. Then it would be as easy as adding the right route statements on each leg and it would all just work.