Routing between OpenVPN Clients and IPSec Site-to-Site VPN Hosts
-
Greetings,
I am pulling my hair out.
I am sure that this has been questioned many times and I have been googling for many days and just couldn't find proper solutions and instructions.
Part of my network has been illustrated as follows:(please find routing tables and openvpn configure files in attachments)
The goals I would like to achieve are:
- Ping FS01 from WS08 and versus.
- Ping FS02 from FS01 and versus.
What I have done so far:
- Site-to-Site IPSec VPN: Communication between 10.110.10.0/24, 10.110.11.0/24 and 10.110.12.0/24
- Communication between FS01 and 10.110.12.0/24
- Communication between FS02 and 10.110.11.0/24
I just couldn't figure out how to make pfsense to route my packets from OpenVPN clients to another subnets.
Any suggestion would be appreciated.
Best regards,
Sean Tsang
references.txt -
Look at the diagram here: https://forum.pfsense.org/index.php?topic=82732.msg452811#msg452811
I have Host B1 communicating with Host C1 over the tunnels. Is that what you're looking for?
-
Thanks for your response.
Not really, I found something different:
- I do meshed VPN Topology
- IPSec tunnel between any two of pfSense firewalls.
BTW, I have tried to add IPSec phase 2 entry with openvpn IP pool.
For example, I created p2 entries of 172.18.10.0/24 to pfSense02 and pfSense03.
But ended with the following errors:- IPSec Client Side (pfSense02)
Oct 19 09:32:29 racoon: [pfSense01]: INFO: initiate new phase 2 negotiation: ip.wan.pfSense02[500]<=>ip.wan.pfSense01[500]
Oct 19 09:32:59 racoon: ERROR: ip.wan.pfSense02 give up to get IPsec-SA due to time up to wait. - IPSec Server Site (pfSense01)
Oct 19 05:19:01 racoon: [pfSense02]: INFO: IPsec-SA established: ESP ip.wan.pfSense01[500]->ip.wan.pfSense02[500] spi=96632548(0x5c27ee4)
Oct 19 05:19:01 racoon: [pfSense02]: INFO: IPsec-SA established: ESP ip.wan.pfSense01[500]->ip.wan.pfSense02[500] spi=137278512(0x82eb430)
Oct 19 05:19:36 racoon: [pfSense02]: INFO: IPsec-SA expired: ESP ip.wan.pfSense01[500]->ip.wan.pfSense02[500] spi=224215456(0xd5d41a0)
Oct 19 05:19:36 racoon: [pfSense02]: INFO: initiate new phase 2 negotiation: ip.wan.pfSense01[500]<=>ip.wan.pfSense02[500]
Oct 19 05:19:36 racoon: [pfSense02]: INFO: IPsec-SA expired: ESP/Tunnel ip.wan.pfSense02[500]->ip.wan.pfSense01[500] spi=149635236(0x8eb40a4)
Oct 19 05:19:36 racoon: [pfSense02]: INFO: IPsec-SA established: ESP ip.wan.pfSense01[500]->ip.wan.pfSense02[500] spi=122236156(0x7492cfc)
Oct 19 05:19:36 racoon: [pfSense02]: INFO: IPsec-SA established: ESP ip.wan.pfSense01[500]->ip.wan.pfSense02[500] spi=227682171(0xd92277b)
Oct 19 05:22:11 racoon: [pfSense02]: INFO: respond new phase 2 negotiation: ip.wan.pfSense01[500]<=>ip.wan.pfSense02[500]
Oct 19 05:22:11 racoon: ERROR: failed to get sainfo.
Oct 19 05:22:11 racoon: ERROR: failed to get sainfo.
Oct 19 05:22:11 racoon: [pfSense02]: [ip.wan.pfSense02] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Oct 19 05:22:21 racoon: [pfSense02]: INFO: respond new phase 2 negotiation: ip.wan.pfSense01[500]<=>ip.wan.pfSense02[500]
Oct 19 05:22:21 racoon: ERROR: failed to get sainfo.
Oct 19 05:22:21 racoon: ERROR: failed to get sainfo.
Oct 19 05:22:21 racoon: [pfSense02]: [ip.wan.pfSense02] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Oct 19 05:22:31 racoon: [pfSense02]: INFO: respond new phase 2 negotiation: ip.wan.pfSense01[500]<=>ip.wan.pfSense02[500]
Oct 19 05:22:31 racoon: ERROR: failed to get sainfo.
Oct 19 05:22:31 racoon: ERROR: failed to get sainfo.
Oct 19 05:22:31 racoon: [pfSense02]: [ip.wan.pfSense02] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Oct 19 05:22:31 racoon: ERROR: failed to get sainfo.
Oct 19 05:22:31 racoon: ERROR: failed to get sainfo.
Oct 19 05:22:31 racoon: [pfSense02]: [ip.wan.pfSense02] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Thanks!!
Sean Tsang -
Finally, I got the solution!!!
https://forum.pfsense.org/index.php?topic=69826.msg381825#msg381825