Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Routing traffic originating from an OpenVPN tunnel to an IPSec tunnel

    Routing and Multi WAN
    2
    2
    2304
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      peter.hansteenevry.com last edited by

      Is the following scenario possible in current PFsense -

      pfsense box with several interfaces plus two tunnels, one ipsec one openvpn.

      The remote end of the ipsec tunnel terminates in a network that would otherwise be routed via the default route. traffic generated locally however do reach their destination as intended.

      Traffic arriving via the openvpn tunnel apparently goes the default route, and of course we see no return traffic for attempts from there to reach addresses belonging in the remote end of the ipsec tunnel.

      I've been looking for a way to route traffic with source addresses in the openvpn tunnel's network to the ipsec network, but it looks like the pfsense gui does not have concept of a 'gateway' that is not a local interface.

      I' thinking along the lines of 'pass from $openvpn_net to $ipsec_net route-to $ipsec-endpoint' or really just adding a static route.

      1 Reply Last reply Reply Quote 0
      • G
        georgeman last edited by

        Yep, it's a little tricky but can be done.

        You have to add another Phase2 on both ends of the IPsec tunnel with the OpenVPN subnet as the local or remote subnet

        Let's say you have SiteA and SiteB as the IPsec endpoints, and OpenVPN on SiteA: you add a Phase2 on SiteA with local subnet: the OpenVPN subnet and remote subnet: SiteB subnet.
        On SiteB you add a Phase2 with local subnet: SiteB subnet and remote subnet: the OpenVPN subnet

        Make sure the firewall rules allow this traffic, too

        If it ain't broke, you haven't tampered enough with it

        1 Reply Last reply Reply Quote 0
        • First post
          Last post