OpenVPN route to IPSec Remote site



  • HI all,

    I'm running a pfsense box 2.0.1 with an OpenVPN Server on it running on port 443. I've also an IPSec tunnel to a remote site. My own network is 192.168.1.0/24 and the Remote Site is 192.168.0.0/24 and the VPN is 192.168.253.0/24. I want to access the network of the remote site when I'm connected to the VPN too so I added push "route 192.168.0.0 255.255.255.0"; to the Advanced Configuration of my OpenVPn Server but I can't connect to that site and I can't see anything regarding this in the client config file. Does anyone know what to do?

    Thanks.


  • Rebel Alliance Developer Netgate

    In addition to pushing the route to the OpenVPN client you also need another Phase 2 on the IPsec tunnel covering 192.168.253.0/24 <-> 192.168.0.0/24.



  • I've added the phase 2 entry (see screenshot) but the diagnostics tell me that the phase 2 tunnel is down. Do I have to add such a phase 2 entry on the other side as well?

    ![ip config.png](/public/imported_attachments/1/ip config.png)
    ![ip config.png_thumb](/public/imported_attachments/1/ip config.png_thumb)
    ![ipsec phase2.png](/public/imported_attachments/1/ipsec phase2.png)
    ![ipsec phase2.png_thumb](/public/imported_attachments/1/ipsec phase2.png_thumb)


  • Rebel Alliance Developer Netgate

    Yes, phase 2 entries must match on both sides of a tunnel.



  • Got the Tunnel up but when i do a tracert from the openvpn site to the ipsec site I got a timeout after the openvpn gateway.



  • The remote site (192.168.0.0/24) will also need to know that it can route back to the OpenVPN subnet (192.168.253.0/24) by sending to the pfSense router adddress on your LAN (192.168.1.0/24).
    Do whatever you need to do at the remote site site to give it a route back.



  • Got it working . Thanks for your help :)



  • This is an interesting case as I'm suffering from exact the same issue.
    Could you please elaborate more in detail how you fixed this?
    More specifically : what has to be done on the remote side for routing?

    Thx



  • @m9820441:

    This is an interesting case as I'm suffering from exact the same issue.
    Could you please elaborate more in detail how you fixed this?
    More specifically : what has to be done on the remote side for routing?

    Thx

    You just need an additional Phase 2 entry on both ipSec site pointing to the OPenVPN network. So on your site it the local network will be the openVPN network and on the remote site the remote network will be your openvpn network.

    Cheers,


Log in to reply