Accessing IPsec branch office from an OpenVPN client



  • Hi, all.

    I have an IPsec VPN between HQ (10.10.0.0) and the Data Centre (172.17.12.0), and I have OpenVPN clients (10.0.9.0) that connect to HQ.

    The problem is that the OpenVPN users cannot currently access servers at the DC. Do I need to add a new Phase 2 config for the 10.0.9.x subnet that the OpenVPN clients are using?

    HQ  <–ipsec--> Data Centre
    /
    |
    OpenVPN
    |
    /
    Home


  • Rebel Alliance Developer Netgate

    Yes, you need a Phase 2 on both ends of the IPsec tunnel to cover the 10.0.9.0/24 <-> 172.17.12.0/24 path


  • Netgate

    And a:

    push "route 10.0.9.0 255.255.255.0"

    In the OpenVPN server config right?

    And firewall rules on the OpenVPN server interface that passes traffic to 10.0.9.0/24…


  • Rebel Alliance Developer Netgate

    A pushed route would be for 172.17.12.0 - that may or may not be needed, depends on the client settings. If it's already forwarding everything across the VPN that wouldn't be necessary.


  • Netgate

    Of course I get the networks backwards.  Thanks.



  • @jimp:

    Yes, you need a Phase 2 on both ends of the IPsec tunnel to cover the 10.0.9.0/24 <-> 172.17.12.0/24 path

    Do I need a 2nd Phase 2 on the HQ end as well? That will be exactly the same as the existing one, as the DC end it all one subnet.


  • Rebel Alliance Developer Netgate

    A Phase 2 entry must be defined on both sides of an IPsec tunnel, so yes you'll need that P2 on both the HQ and DC routers



  • But the HQ end is the same for both and I can't create two Phase-two's the same.

    HQ            DC
    10.10.0.0/24  172.17.12.0/24
    10.0.9.0/24


  • Rebel Alliance Developer Netgate

    It's not the same.

    On the HQ IPsec tunnel you will need:

    10.10.0.0/24 to 172.17.12.0/24
    10.0.9.0/24 to 172.17.12.0/24

    On the DC IPsec tunnel you will need:

    172.17.12.0/24 to 10.10.0.0/24
    172.17.12.0/24 to 10.0.9.0/24

    Each possible path for traffic on IPsec needs to be defined in a Phase 2.



  • That's what I don't understand though. Here's what I have:

    HQ End
    Phase-I: The DC public IP
    Phase-II: The DC private IP - 172.17.12.0/24 - there is no reference to the internal HQ IP range

    DC End
    Phase-I: The HQ public IP
    Phase-II: The HQ private IP 10.10.0.0/24

    So following on from what I have, the only place where I see a 10.10.0.0 where I might need to add a 10.0.9.0 is the DC's Phase-II. Everything about a second HQ Phase II would be the same as what's there already.


  • Rebel Alliance Developer Netgate

    You can have multiple Phase 2 entries per Phase 1

    Just clone the existing P2 entry and change the network to refer to the OpenVPN subnet.



  • Aah, cool I'll try that. I was confused by the "you need a Phase 2 on both ends".

    I'll try this.

    I assume I'll have to push the 172.17.12.0/24 route to the OpenVPN clients too.



  • Rebel Alliance Developer Netgate

    You do need the Phase 2 defined on both ends though - your screenshot only shows the second P2 on the DC, you also need that on HQ, just change "LAN" to the OpenVPN subnet.

    And unless you have the OpenVPN client route all traffic across while connected, yes you'll need to push a route.



  • It worked! Thank you for your patience! I didn't even think to change the "LAN" part of that config. I was kind of assuming that once you're VPN'd in, you're part of the LAN.