IPsec iOS clients - want to access other end of OpenVPN LAN-to-LAN
OpenVPN Site to Site working between my house and my family's house. I'm impressed by the performance and reliability out of such an easy to use and free solution. Since there are now two roaming iPads in the mix - I think the best option, is to setup IPsec on one of the pfSenses?
This will require a different/unique subnet, right?
- LAN - 192.168.42.0/24
- OpenVPN - 10.0.42.0/24
- IPsec - 10.0.43.0/24
- LAN - 192.168.52.0/24
- OpenVPN - 10.0.52.0/24
Will I be able to connect an iPad to pfSense1 and be able to reach 192.168.52.*?
If so, does that mean I will need static routes?
Thank you for reading this. I'm really just looking for a sanity check. If there is a way to do this in a more 'automatic' way than setting the individual routes - I would love to know, as this has been a really fun learning experience and I want to understand as much of the fundamentals as possible.
Should be no trouble. pfSense2 will need to know that there is an extra subnet on pfSense1. In the Advanced of the OepnVPN on pfSense2 you can just put:
route 10.0.43.0 255.255.255.0
Then it will know how to route to the IPsec subnet.
Similarly, IPsec settings will need to know that 192.168.52.0/24 on pfSense2 is reached by first going across the IPsec to pfSense1.
Make sure to add firewall rules to the various VPN interfaces allowing traffic to/from the extra subnets (or maybe you already just have "pass all" rules on your VPN link).
Then everything should know how to route, reply and not get filtered/dropped.
Phil, I just wanted to say thank you. It was as simple as you suggested. I've just now had the time/focus to configure and test this properly. I just wish there was a way to get these darn iDevices to automatically reconnect to the IPsec VPN when turning back on. I think that's out of the option because I'm using xauth with a pre-shared key, due to my inability to produce a certificate the iPad will accept. Too bad Apple won't open the API for tunnel management so the OpenVPN project can use it.
Anyway, thank you Phil - you helped me implement something that makes my life a little easier :)