Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-to-Site + RoadWarrior VPN using IPSEC

    Scheduled Pinned Locked Moved IPsec
    8 Posts 3 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      skyebrenzo
      last edited by

      Hi,

      I've managed to setup Site1-to-Site2 VPN using IPSEC. My problem now is I'm trying to setup an additional VPN tunnel so our Engineers can work from home but still able to reach servers at Site2 by VPN'ing to Site1. I followed the steps here https://doc.pfsense.org/index.php/IPsec_for_road_warriors_in_PfSense_2.0.1_with_PSK_in_stead_of_xauth but I couldn't reach any of my clients from Site2.

      Let's assume the following values:
      Site1 Pub IP: 126.23.44.12
      Site1 Private Net: 192.168.1.0/24

      Site2 Pub IP: 30.23.87.23
      Site2 Private Net: 10.0.0.0/16

      RoadWarrior Virtual IP Pool: 192.20.1.0/24

      By the way, I am using the same Site1 Pub IP as my Site-to-Site and RoadWarrior VPN tunnel, is that recommended?

      Thanks!

      Oliver

      1 Reply Last reply Reply Quote 0
      • K
        kejianshi
        last edited by

        Is there a good reason not to use openvpn?  Is it too easy?  Like a challenge?

        1 Reply Last reply Reply Quote 0
        • S
          skyebrenzo
          last edited by

          Hi, Kejianshi,

          For the Roadwarrior VPN, I've setup OpenVPN as you advised with the following settings:

          ServerMode: Remote Access (SSL/TLS + User Auth)
          IPV4 Tunnel Net: 192.20.1.0/24
          IPV4 Local Net: 192.168.1.0/24

          Allow communication between clients connected to this server - checked
          Provide a virtual adapter IP address to clients (see Tunnel Network) - checked
          Allow connected clients to retain their connections if their IP address changes. - checked
          Advanced Configuration:
          push "route 10.0.0.0 255.255.0.0";

          Fortunately, I can still access machines inside my Local network (192.168.1.0/24).

          Bad news is: I still can't access my VPN Site2 machines.

          My Firewall Rules for OpenVPN
          Proto              Source            Port          Destination          Port          Gateway            Queue
          IPV4*              *                      *                *                        *                *                      none

          My route on my workstation after connecting to VPN shows

          Network Destination                      Netmask                              Gateway                    Interface 
          10.0.0.0                                      255.255.0.0                        192.20.1.5                    192.20.1.6

          Did I missed something?

          1 Reply Last reply Reply Quote 0
          • K
            kejianshi
            last edited by

            ahhhhhh - I see.  Probably NAT is in your way.

            1 Reply Last reply Reply Quote 0
            • S
              skyebrenzo
              last edited by

              which NAT?

              1 Reply Last reply Reply Quote 0
              • K
                kejianshi
                last edited by

                When you have a single public IP and you have then LAN IPs that can communicate to the public IPs and then you also have a few vpn IPs on yets other subnet addresses, Network Address Translation is how thats accomplished with IPV4 (NAT) and a side effect of NAT is that its easy enough for a computer to see "down" through layers of NAT to the PFSENSE and even the LAN network the pfsense is on, but not see back "UP" to other layers of NAT that are created to make another vpn, for instance.

                So, its fairly common that 2 seperate VPN networks on seperate subnets on the same server, the clients may have broken connectivity to each other across those seperate VPNs.

                What I've done in the past, where possible is to run 1 vpn server on the pfsense and to have all the clients everywhere connect to that where possible so as to put them all on the same subnet and eliminate NAT barriers.

                NAT is a real pain for exactly these reasons.  Thats one of the reasons every one who knows anything wants to move to IPV6 already, which is also an option for you.

                By using a dual stack ipv4 and ipv6 you would effectively be assigning public addresses to every machine everywhere so, no more NAT issues.

                However I have no idea what types of services you are running or if they play well with IPV6.

                1 Reply Last reply Reply Quote 0
                • R
                  razzfazz
                  last edited by

                  I don't see how NAT would be the problem here, unless he somehow configured it on the "IPsec" interface.

                  1 Reply Last reply Reply Quote 0
                  • R
                    razzfazz
                    last edited by

                    skyebrenzo, did you set up appropriate phase2 entries? I.e., at site1, you'll want a phase 2 with local = road warrior IP range, remote = site2 IP range, and at site2 the other way around (local = site2 range, remote = road warrior range).

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.