Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing between OpenVPN Clients and IPSec Site-to-Site VPN Hosts

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      seantsang
      last edited by

      Greetings,

      I am pulling my hair out.
      I am sure that this has been questioned many times and I have been googling for many days and just couldn't find proper solutions and instructions.
      Part of my network has been illustrated as follows:

      (please find routing tables and openvpn configure files in attachments)

      The goals I would like to achieve are:

      1. Ping FS01 from WS08 and versus.
      2. Ping FS02 from FS01 and versus.

      What I have done so far:

      1. Site-to-Site IPSec VPN: Communication between 10.110.10.0/24, 10.110.11.0/24 and 10.110.12.0/24
      2. Communication between FS01 and 10.110.12.0/24
      3. Communication between FS02 and 10.110.11.0/24

      I just couldn't figure out how to make pfsense to route my packets from OpenVPN clients to another subnets.

      Any suggestion would be appreciated.

      Best regards,

      Sean Tsang
      references.txt

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        Look at the diagram here: https://forum.pfsense.org/index.php?topic=82732.msg452811#msg452811

        I have Host B1 communicating with Host C1 over the tunnels.  Is that what you're looking for?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • S Offline
          seantsang
          last edited by

          Thanks for your response.

          Not really, I found something different:

          1. I do meshed VPN Topology
          2. IPSec tunnel between any two of pfSense firewalls.

          BTW, I have tried to add IPSec phase 2 entry with openvpn IP pool.
          For example, I created p2 entries of 172.18.10.0/24 to pfSense02 and pfSense03.
          But ended with the following errors:

          1. IPSec Client Side (pfSense02)
            Oct 19 09:32:29 racoon: [pfSense01]: INFO: initiate new phase 2 negotiation: ip.wan.pfSense02[500]<=>ip.wan.pfSense01[500]
            Oct 19 09:32:59 racoon: ERROR: ip.wan.pfSense02 give up to get IPsec-SA due to time up to wait.
          2. IPSec Server Site (pfSense01)
            Oct 19 05:19:01 racoon: [pfSense02]: INFO: IPsec-SA established: ESP ip.wan.pfSense01[500]->ip.wan.pfSense02[500] spi=96632548(0x5c27ee4)
            Oct 19 05:19:01 racoon: [pfSense02]: INFO: IPsec-SA established: ESP ip.wan.pfSense01[500]->ip.wan.pfSense02[500] spi=137278512(0x82eb430)
            Oct 19 05:19:36 racoon: [pfSense02]: INFO: IPsec-SA expired: ESP ip.wan.pfSense01[500]->ip.wan.pfSense02[500] spi=224215456(0xd5d41a0)
            Oct 19 05:19:36 racoon: [pfSense02]: INFO: initiate new phase 2 negotiation: ip.wan.pfSense01[500]<=>ip.wan.pfSense02[500]
            Oct 19 05:19:36 racoon: [pfSense02]: INFO: IPsec-SA expired: ESP/Tunnel ip.wan.pfSense02[500]->ip.wan.pfSense01[500] spi=149635236(0x8eb40a4)
            Oct 19 05:19:36 racoon: [pfSense02]: INFO: IPsec-SA established: ESP ip.wan.pfSense01[500]->ip.wan.pfSense02[500] spi=122236156(0x7492cfc)
            Oct 19 05:19:36 racoon: [pfSense02]: INFO: IPsec-SA established: ESP ip.wan.pfSense01[500]->ip.wan.pfSense02[500] spi=227682171(0xd92277b)
            Oct 19 05:22:11 racoon: [pfSense02]: INFO: respond new phase 2 negotiation: ip.wan.pfSense01[500]<=>ip.wan.pfSense02[500]
            Oct 19 05:22:11 racoon: ERROR: failed to get sainfo.
            Oct 19 05:22:11 racoon: ERROR: failed to get sainfo.
            Oct 19 05:22:11 racoon: [pfSense02]: [ip.wan.pfSense02] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
            Oct 19 05:22:21 racoon: [pfSense02]: INFO: respond new phase 2 negotiation: ip.wan.pfSense01[500]<=>ip.wan.pfSense02[500]
            Oct 19 05:22:21 racoon: ERROR: failed to get sainfo.
            Oct 19 05:22:21 racoon: ERROR: failed to get sainfo.
            Oct 19 05:22:21 racoon: [pfSense02]: [ip.wan.pfSense02] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
            Oct 19 05:22:31 racoon: [pfSense02]: INFO: respond new phase 2 negotiation: ip.wan.pfSense01[500]<=>ip.wan.pfSense02[500]
            Oct 19 05:22:31 racoon: ERROR: failed to get sainfo.
            Oct 19 05:22:31 racoon: ERROR: failed to get sainfo.
            Oct 19 05:22:31 racoon: [pfSense02]: [ip.wan.pfSense02] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
            Oct 19 05:22:31 racoon: ERROR: failed to get sainfo.
            Oct 19 05:22:31 racoon: ERROR: failed to get sainfo.
            Oct 19 05:22:31 racoon: [pfSense02]: [ip.wan.pfSense02] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).

          Thanks!!
          Sean Tsang

          1 Reply Last reply Reply Quote 0
          • S Offline
            seantsang
            last edited by

            Finally, I got the solution!!!

            https://forum.pfsense.org/index.php?topic=69826.msg381825#msg381825

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.