OpenVPN client can connect to the local LAN but not the LAN across the IPsec VPN

loub

Hello,  I've uploaded an image to hopefully help with describing my current network problem.

I have 2 LANs physically separated. LanA and LanB, each site is using pfSense. We have IPsec enabled to  allow communications between LanA and LanB.  So I setup OpenVPN server on psfA and the client, ovpnA, is able to communicate with servers on LanA.  The problem I'm having is trying to get the OpenVPN client, ovpnA,  to connect to the servers on LanB.

When I do a packet capture on IPsec I never see any traffic from ovpnA.  I've added "route 10.70.40.0; push "route 10.70.40.0 255.255.255.0" " to the advanced setting of OpenVPN and the route is updated on ovpnA.

I enabled NAT for the OpenVPN subnet to be identical to LanA except for the IP.  I can not find any other options that is stopping ovpnA from connecting to HostB.

Any ideas.

Thanks,

Lou

–---------------------------------------
Traceroute HostA to HostB

traceroute HostB

traceroute to HostB (10.70.40.121), 30 hops max, 40 byte packets
1  pfsA.XXXX.com (192.168.1.1)  0.278 ms  0.233 ms  0.212 ms
2  HostB.XXXX.com (10.70.40.121)  25.887 ms !X  26.945 ms !X  27.108 ms !X

Traceroute HostA to opvnA

traceroute to 192.168.11.6 (192.168.11.6), 30 hops max, 40 byte packets

1  pfsa.XXXX.com (192.168.1.1)  0.387 ms  0.309 ms  0.311 ms
2  192.168.11.6 (192.168.11.6)  32.658 ms * *

---

Traceroute from HostB to HostA

traceroute 192.168.1.14

traceroute to 192.168.1.14 (192.168.1.14), 30 hops max, 60 byte packets
1  pfsB.XXXX.com (10.70.40.252)  0.273 ms  0.231 ms  0.262 ms
2  * * *
3  HostA.XXXX.com (192.168.1.14)  26.877 ms  27.060 ms  27.149 ms

Traceroute from HostB to openVPNA

traceroute 192.168.11.6

traceroute to 192.168.11.6 (192.168.11.6), 30 hops max, 60 byte packets
1  pfsB.XXXX.com (10.70.40.252)  0.274 ms  0.227 ms  0.250 ms
2  ip67-91-239-129.z239-91-67.customer.algx.net (67.91.239.129)  1.190 ms  1.378 ms  1.586 ms
3  * * *
4  * * *
5  * * *
6  * * *
7  * * *
8  *^C

---

Traceroute from ovpnA to HostB
tracert 10.70.40.121
over a maximum of 30 hops:

1    61 ms    29 ms    27 ms  192.168.11.1
  2    35 ms    29 ms    28 ms  10.1.10.1
  3    *        *        *    Request timed out.
  4    *        *        *    Request timed out.
  5    *        *        *    Request timed out.
30    *        *        *    Request timed out.

Traceroute from ovpnA to HostA
tracert  192.168.1.14
over a maximum of 30 hops:

1    28 ms    28 ms    29 ms  192.168.11.1
  2    28 ms    30 ms    52 ms  HostA.XXXX.com [192.168.1.14]

Trace complete.

phil.davis

It looks like pfsB does not know that pfsA link is the route to OvpnA - on the traceroute from HostB to OvpnA, pfsB is sending that out to the public internet.
On pfsB OpenVPN (client probably, but could be the server end) add the OvpnA subnet to the list of subnets in the "Remote Network(s)" field.
Then also check that firewall rules on OpenVPN at pfsA and pfsB are allowing the various private subnet possibilities.

loub

I spent  a few hours this weekend reading replies to similar problems and I found one reply that talked about Phase-2 entries.  Once I added an entry into Phase-2 on both psfA and psfB I was then able to connect to servers on lanB.

Thanks for the help and a great product.