OpenVPN and IPSec tunnel connection

shy.newbie

Hi,

Currently the pfSense has two VPNs configured.  One IPSec tunnel going to Watchguard XTM 505 and another which acts as VPN server for OpenVPN remote clients.  Both tunnels are up and pass traffic on their respective VPN tunnels.  The next step I want to accomplish is to have the OpenVPN client reach a host on the Watchguard LAN.

LAN:10.0.1.0 –-- watchguard WAN: x.x.x.x  ------ IPSec ----- WAN: y.y.y.y ----- pfSense ----- LAN:192.168.1.0
                                                                                                                      |
                                                                                                                      |
                                                                                                                      |
                                                                                                                OpenVPN
                                                                                                                      |
                                                                                                                      |
                                                                                                                      |
                                                                                                                172.32.0.6
                                                                                                                  client1

I have added the route on the OpenVPN server configuration

route 10.0.1.0 255.255.255.0;
push "route 10.0.1.0 255.255.255.0";
client-to-client;

for the OpenVPN client to identify 10.0.1.0 which is Watchguard LAN.  On the OpenVPN client added the commands

route-method exe
route-delay 2

On the Watchguard firewall, I added a route at Network/Routes with the value

destination: 172.32.0.0
gateway: 192.168.1.1

thinking that it should be pushed to the LAN network of pfSense

Checked the firewall rules on Watchguard and it allows all traffic from the IPSec tunnel.

For the test, I connected the OpenVPN client

ping 192.168.1.1 successful
http://192.168.1.1 successful (GUI of pfSense)
ping 10.0.1.1 failed
https://10.0.1.1:8080 failed (GUI of Watchguard)

route print under Active Routes on the client machine showed

Destination: 10.0.1.0
Gateway: 172.32.0.5
Interface: 172.32.0.6

this makes me think that routes are pushed

At the pfSense box, I did a packet capture on the OpenVPN interface and saw the requests come in.

I think I am missing some configuration here, hope you could direct me what needs to be added.

Thank you so much!

phil.davis

I have added the route on the OpenVPN server configuration

route 10.0.1.0 255.255.255.0;
push "route 10.0.1.0 255.255.255.0";
client-to-client;

for the OpenVPN client to identify 10.0.1.0 which is Watchguard LAN.

The problem would be:

route 10.0.1.0 255.255.255.0;

That will tell the pfSense end of the OpenVPN that it should use the OpenVPN to get  to 10.0.1.0/24 - but actually the way to 10.0.1.0/24 is your IPsec link.
Remove this line, but leave the push line (which tells the client about how to route from the client towards the Watchguard LAN. Hopefully it works.