Routing traffic originating from an OpenVPN tunnel to an IPSec tunnel

  • Is the following scenario possible in current PFsense -

    pfsense box with several interfaces plus two tunnels, one ipsec one openvpn.

    The remote end of the ipsec tunnel terminates in a network that would otherwise be routed via the default route. traffic generated locally however do reach their destination as intended.

    Traffic arriving via the openvpn tunnel apparently goes the default route, and of course we see no return traffic for attempts from there to reach addresses belonging in the remote end of the ipsec tunnel.

    I've been looking for a way to route traffic with source addresses in the openvpn tunnel's network to the ipsec network, but it looks like the pfsense gui does not have concept of a 'gateway' that is not a local interface.

    I' thinking along the lines of 'pass from $openvpn_net to $ipsec_net route-to $ipsec-endpoint' or really just adding a static route.

  • Yep, it's a little tricky but can be done.

    You have to add another Phase2 on both ends of the IPsec tunnel with the OpenVPN subnet as the local or remote subnet

    Let's say you have SiteA and SiteB as the IPsec endpoints, and OpenVPN on SiteA: you add a Phase2 on SiteA with local subnet: the OpenVPN subnet and remote subnet: SiteB subnet.
    On SiteB you add a Phase2 with local subnet: SiteB subnet and remote subnet: the OpenVPN subnet

    Make sure the firewall rules allow this traffic, too

Log in to reply