• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Routing between OpenVPN Clients and IPSec Site-to-Site VPN Hosts

Scheduled Pinned Locked Moved OpenVPN
4 Posts 2 Posters 3.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S Offline
    seantsang
    last edited by Oct 17, 2014, 4:45 PM

    Greetings,

    I am pulling my hair out.
    I am sure that this has been questioned many times and I have been googling for many days and just couldn't find proper solutions and instructions.
    Part of my network has been illustrated as follows:

    (please find routing tables and openvpn configure files in attachments)

    The goals I would like to achieve are:

    1. Ping FS01 from WS08 and versus.
    2. Ping FS02 from FS01 and versus.

    What I have done so far:

    1. Site-to-Site IPSec VPN: Communication between 10.110.10.0/24, 10.110.11.0/24 and 10.110.12.0/24
    2. Communication between FS01 and 10.110.12.0/24
    3. Communication between FS02 and 10.110.11.0/24

    I just couldn't figure out how to make pfsense to route my packets from OpenVPN clients to another subnets.

    Any suggestion would be appreciated.

    Best regards,

    Sean Tsang
    references.txt

    1 Reply Last reply Reply Quote 0
    • D Offline
      Derelict LAYER 8 Netgate
      last edited by Oct 19, 2014, 8:19 AM

      Look at the diagram here: https://forum.pfsense.org/index.php?topic=82732.msg452811#msg452811

      I have Host B1 communicating with Host C1 over the tunnels.  Is that what you're looking for?

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • S Offline
        seantsang
        last edited by Oct 19, 2014, 3:47 PM

        Thanks for your response.

        Not really, I found something different:

        1. I do meshed VPN Topology
        2. IPSec tunnel between any two of pfSense firewalls.

        BTW, I have tried to add IPSec phase 2 entry with openvpn IP pool.
        For example, I created p2 entries of 172.18.10.0/24 to pfSense02 and pfSense03.
        But ended with the following errors:

        1. IPSec Client Side (pfSense02)
          Oct 19 09:32:29 racoon: [pfSense01]: INFO: initiate new phase 2 negotiation: ip.wan.pfSense02[500]<=>ip.wan.pfSense01[500]
          Oct 19 09:32:59 racoon: ERROR: ip.wan.pfSense02 give up to get IPsec-SA due to time up to wait.
        2. IPSec Server Site (pfSense01)
          Oct 19 05:19:01 racoon: [pfSense02]: INFO: IPsec-SA established: ESP ip.wan.pfSense01[500]->ip.wan.pfSense02[500] spi=96632548(0x5c27ee4)
          Oct 19 05:19:01 racoon: [pfSense02]: INFO: IPsec-SA established: ESP ip.wan.pfSense01[500]->ip.wan.pfSense02[500] spi=137278512(0x82eb430)
          Oct 19 05:19:36 racoon: [pfSense02]: INFO: IPsec-SA expired: ESP ip.wan.pfSense01[500]->ip.wan.pfSense02[500] spi=224215456(0xd5d41a0)
          Oct 19 05:19:36 racoon: [pfSense02]: INFO: initiate new phase 2 negotiation: ip.wan.pfSense01[500]<=>ip.wan.pfSense02[500]
          Oct 19 05:19:36 racoon: [pfSense02]: INFO: IPsec-SA expired: ESP/Tunnel ip.wan.pfSense02[500]->ip.wan.pfSense01[500] spi=149635236(0x8eb40a4)
          Oct 19 05:19:36 racoon: [pfSense02]: INFO: IPsec-SA established: ESP ip.wan.pfSense01[500]->ip.wan.pfSense02[500] spi=122236156(0x7492cfc)
          Oct 19 05:19:36 racoon: [pfSense02]: INFO: IPsec-SA established: ESP ip.wan.pfSense01[500]->ip.wan.pfSense02[500] spi=227682171(0xd92277b)
          Oct 19 05:22:11 racoon: [pfSense02]: INFO: respond new phase 2 negotiation: ip.wan.pfSense01[500]<=>ip.wan.pfSense02[500]
          Oct 19 05:22:11 racoon: ERROR: failed to get sainfo.
          Oct 19 05:22:11 racoon: ERROR: failed to get sainfo.
          Oct 19 05:22:11 racoon: [pfSense02]: [ip.wan.pfSense02] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
          Oct 19 05:22:21 racoon: [pfSense02]: INFO: respond new phase 2 negotiation: ip.wan.pfSense01[500]<=>ip.wan.pfSense02[500]
          Oct 19 05:22:21 racoon: ERROR: failed to get sainfo.
          Oct 19 05:22:21 racoon: ERROR: failed to get sainfo.
          Oct 19 05:22:21 racoon: [pfSense02]: [ip.wan.pfSense02] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
          Oct 19 05:22:31 racoon: [pfSense02]: INFO: respond new phase 2 negotiation: ip.wan.pfSense01[500]<=>ip.wan.pfSense02[500]
          Oct 19 05:22:31 racoon: ERROR: failed to get sainfo.
          Oct 19 05:22:31 racoon: ERROR: failed to get sainfo.
          Oct 19 05:22:31 racoon: [pfSense02]: [ip.wan.pfSense02] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
          Oct 19 05:22:31 racoon: ERROR: failed to get sainfo.
          Oct 19 05:22:31 racoon: ERROR: failed to get sainfo.
          Oct 19 05:22:31 racoon: [pfSense02]: [ip.wan.pfSense02] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).

        Thanks!!
        Sean Tsang

        1 Reply Last reply Reply Quote 0
        • S Offline
          seantsang
          last edited by Oct 19, 2014, 6:23 PM

          Finally, I got the solution!!!

          https://forum.pfsense.org/index.php?topic=69826.msg381825#msg381825

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received