OpenVPN and IPSec tunnel connection
-
Hi,
Currently the pfSense has two VPNs configured. One IPSec tunnel going to Watchguard XTM 505 and another which acts as VPN server for OpenVPN remote clients. Both tunnels are up and pass traffic on their respective VPN tunnels. The next step I want to accomplish is to have the OpenVPN client reach a host on the Watchguard LAN.
LAN:10.0.1.0 –-- watchguard WAN: x.x.x.x ------ IPSec ----- WAN: y.y.y.y ----- pfSense ----- LAN:192.168.1.0
|
|
|
OpenVPN
|
|
|
172.32.0.6
client1I have added the route on the OpenVPN server configuration
route 10.0.1.0 255.255.255.0;
push "route 10.0.1.0 255.255.255.0";
client-to-client;for the OpenVPN client to identify 10.0.1.0 which is Watchguard LAN. On the OpenVPN client added the commands
route-method exe
route-delay 2On the Watchguard firewall, I added a route at Network/Routes with the value
destination: 172.32.0.0
gateway: 192.168.1.1thinking that it should be pushed to the LAN network of pfSense
Checked the firewall rules on Watchguard and it allows all traffic from the IPSec tunnel.
For the test, I connected the OpenVPN client
ping 192.168.1.1 successful
http://192.168.1.1 successful (GUI of pfSense)
ping 10.0.1.1 failed
https://10.0.1.1:8080 failed (GUI of Watchguard)route print under Active Routes on the client machine showed
Destination: 10.0.1.0
Gateway: 172.32.0.5
Interface: 172.32.0.6this makes me think that routes are pushed
At the pfSense box, I did a packet capture on the OpenVPN interface and saw the requests come in.
I think I am missing some configuration here, hope you could direct me what needs to be added.
Thank you so much!
-
I have added the route on the OpenVPN server configuration
route 10.0.1.0 255.255.255.0;
push "route 10.0.1.0 255.255.255.0";
client-to-client;for the OpenVPN client to identify 10.0.1.0 which is Watchguard LAN.
The problem would be:
route 10.0.1.0 255.255.255.0;
That will tell the pfSense end of the OpenVPN that it should use the OpenVPN to get to 10.0.1.0/24 - but actually the way to 10.0.1.0/24 is your IPsec link.
Remove this line, but leave the push line (which tells the client about how to route from the client towards the Watchguard LAN. Hopefully it works.