Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN and IPSec tunnel connection

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shy.newbie
      last edited by

      Hi,

      Currently the pfSense has two VPNs configured.  One IPSec tunnel going to Watchguard XTM 505 and another which acts as VPN server for OpenVPN remote clients.  Both tunnels are up and pass traffic on their respective VPN tunnels.  The next step I want to accomplish is to have the OpenVPN client reach a host on the Watchguard LAN.

      LAN:10.0.1.0 –-- watchguard WAN: x.x.x.x  ------ IPSec ----- WAN: y.y.y.y ----- pfSense ----- LAN:192.168.1.0
                                                                                                                            |
                                                                                                                            |
                                                                                                                            |
                                                                                                                      OpenVPN
                                                                                                                            |
                                                                                                                            |
                                                                                                                            |
                                                                                                                      172.32.0.6
                                                                                                                        client1

      I have added the route on the OpenVPN server configuration

      route 10.0.1.0 255.255.255.0;
      push "route 10.0.1.0 255.255.255.0";
      client-to-client;

      for the OpenVPN client to identify 10.0.1.0 which is Watchguard LAN.  On the OpenVPN client added the commands

      route-method exe
      route-delay 2

      On the Watchguard firewall, I added a route at Network/Routes with the value

      destination: 172.32.0.0
      gateway: 192.168.1.1

      thinking that it should be pushed to the LAN network of pfSense

      Checked the firewall rules on Watchguard and it allows all traffic from the IPSec tunnel.

      For the test, I connected the OpenVPN client

      ping 192.168.1.1 successful
      http://192.168.1.1 successful (GUI of pfSense)
      ping 10.0.1.1 failed
      https://10.0.1.1:8080 failed (GUI of Watchguard)

      route print under Active Routes on the client machine showed

      Destination: 10.0.1.0
      Gateway: 172.32.0.5
      Interface: 172.32.0.6

      this makes me think that routes are pushed

      At the pfSense box, I did a packet capture on the OpenVPN interface and saw the requests come in.

      I think I am missing some configuration here, hope you could direct me what needs to be added.

      Thank you so much!

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        I have added the route on the OpenVPN server configuration

        route 10.0.1.0 255.255.255.0;
        push "route 10.0.1.0 255.255.255.0";
        client-to-client;

        for the OpenVPN client to identify 10.0.1.0 which is Watchguard LAN.

        The problem would be:

        route 10.0.1.0 255.255.255.0;

        That will tell the pfSense end of the OpenVPN that it should use the OpenVPN to get  to 10.0.1.0/24 - but actually the way to 10.0.1.0/24 is your IPsec link.
        Remove this line, but leave the push line (which tells the client about how to route from the client towards the Watchguard LAN. Hopefully it works.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.