OpenVPN and IPSec tunnel connection



  • Hi,

    Currently the pfSense has two VPNs configured.  One IPSec tunnel going to Watchguard XTM 505 and another which acts as VPN server for OpenVPN remote clients.  Both tunnels are up and pass traffic on their respective VPN tunnels.  The next step I want to accomplish is to have the OpenVPN client reach a host on the Watchguard LAN.

    LAN:10.0.1.0 –-- watchguard WAN: x.x.x.x  ------ IPSec ----- WAN: y.y.y.y ----- pfSense ----- LAN:192.168.1.0
                                                                                                                          |
                                                                                                                          |
                                                                                                                          |
                                                                                                                    OpenVPN
                                                                                                                          |
                                                                                                                          |
                                                                                                                          |
                                                                                                                    172.32.0.6
                                                                                                                      client1

    I have added the route on the OpenVPN server configuration

    route 10.0.1.0 255.255.255.0;
    push "route 10.0.1.0 255.255.255.0";
    client-to-client;

    for the OpenVPN client to identify 10.0.1.0 which is Watchguard LAN.  On the OpenVPN client added the commands

    route-method exe
    route-delay 2

    On the Watchguard firewall, I added a route at Network/Routes with the value

    destination: 172.32.0.0
    gateway: 192.168.1.1

    thinking that it should be pushed to the LAN network of pfSense

    Checked the firewall rules on Watchguard and it allows all traffic from the IPSec tunnel.

    For the test, I connected the OpenVPN client

    ping 192.168.1.1 successful
    http://192.168.1.1 successful (GUI of pfSense)
    ping 10.0.1.1 failed
    https://10.0.1.1:8080 failed (GUI of Watchguard)

    route print under Active Routes on the client machine showed

    Destination: 10.0.1.0
    Gateway: 172.32.0.5
    Interface: 172.32.0.6

    this makes me think that routes are pushed

    At the pfSense box, I did a packet capture on the OpenVPN interface and saw the requests come in.

    I think I am missing some configuration here, hope you could direct me what needs to be added.

    Thank you so much!



  • I have added the route on the OpenVPN server configuration

    route 10.0.1.0 255.255.255.0;
    push "route 10.0.1.0 255.255.255.0";
    client-to-client;

    for the OpenVPN client to identify 10.0.1.0 which is Watchguard LAN.

    The problem would be:

    route 10.0.1.0 255.255.255.0;

    That will tell the pfSense end of the OpenVPN that it should use the OpenVPN to get  to 10.0.1.0/24 - but actually the way to 10.0.1.0/24 is your IPsec link.
    Remove this line, but leave the push line (which tells the client about how to route from the client towards the Watchguard LAN. Hopefully it works.


Log in to reply