Site-to-Site + RoadWarrior VPN using IPSEC

skyebrenzo

Hi,

I've managed to setup Site1-to-Site2 VPN using IPSEC. My problem now is I'm trying to setup an additional VPN tunnel so our Engineers can work from home but still able to reach servers at Site2 by VPN'ing to Site1. I followed the steps here https://doc.pfsense.org/index.php/IPsec_for_road_warriors_in_PfSense_2.0.1_with_PSK_in_stead_of_xauth but I couldn't reach any of my clients from Site2.

Let's assume the following values:
Site1 Pub IP: 126.23.44.12
Site1 Private Net: 192.168.1.0/24

Site2 Pub IP: 30.23.87.23
Site2 Private Net: 10.0.0.0/16

RoadWarrior Virtual IP Pool: 192.20.1.0/24

By the way, I am using the same Site1 Pub IP as my Site-to-Site and RoadWarrior VPN tunnel, is that recommended?

Thanks!

Oliver

kejianshi

Is there a good reason not to use openvpn?  Is it too easy?  Like a challenge?

skyebrenzo

Hi, Kejianshi,

For the Roadwarrior VPN, I've setup OpenVPN as you advised with the following settings:

ServerMode: Remote Access (SSL/TLS + User Auth)
IPV4 Tunnel Net: 192.20.1.0/24
IPV4 Local Net: 192.168.1.0/24

Allow communication between clients connected to this server - checked
Provide a virtual adapter IP address to clients (see Tunnel Network) - checked
Allow connected clients to retain their connections if their IP address changes. - checked
Advanced Configuration:
push "route 10.0.0.0 255.255.0.0";

Fortunately, I can still access machines inside my Local network (192.168.1.0/24).

Bad news is: I still can't access my VPN Site2 machines.

My Firewall Rules for OpenVPN
Proto              Source            Port          Destination          Port          Gateway            Queue
IPV4*              *                      *                *                        *                *                      none

My route on my workstation after connecting to VPN shows

Network Destination                      Netmask                              Gateway                    Interface 
10.0.0.0                                      255.255.0.0                        192.20.1.5                    192.20.1.6

Did I missed something?

kejianshi

ahhhhhh - I see.  Probably NAT is in your way.

skyebrenzo

which NAT?

kejianshi

When you have a single public IP and you have then LAN IPs that can communicate to the public IPs and then you also have a few vpn IPs on yets other subnet addresses, Network Address Translation is how thats accomplished with IPV4 (NAT) and a side effect of NAT is that its easy enough for a computer to see "down" through layers of NAT to the PFSENSE and even the LAN network the pfsense is on, but not see back "UP" to other layers of NAT that are created to make another vpn, for instance.

So, its fairly common that 2 seperate VPN networks on seperate subnets on the same server, the clients may have broken connectivity to each other across those seperate VPNs.

What I've done in the past, where possible is to run 1 vpn server on the pfsense and to have all the clients everywhere connect to that where possible so as to put them all on the same subnet and eliminate NAT barriers.

NAT is a real pain for exactly these reasons.  Thats one of the reasons every one who knows anything wants to move to IPV6 already, which is also an option for you.

By using a dual stack ipv4 and ipv6 you would effectively be assigning public addresses to every machine everywhere so, no more NAT issues.

However I have no idea what types of services you are running or if they play well with IPV6.

razzfazz

I don't see how NAT would be the problem here, unless he somehow configured it on the "IPsec" interface.

razzfazz

skyebrenzo, did you set up appropriate phase2 entries? I.e., at site1, you'll want a phase 2 with local = road warrior IP range, remote = site2 IP range, and at site2 the other way around (local = site2 range, remote = road warrior range).