Strange routing problem from OpenVPN clients to IPsec remote site

Derelict · Apr 25, 2015, 4:28 PM

I believe you need another phase 2 entry for 192.168.254.0/24 <==> 192.168.10.0/24. This is easy between two pfSenses. I have no idea about the microtik.

Otherwise I believe you have to NAT your OpenVPN connections to something on 10.10.10.0/24 for traffic destined for 192.168.10.0/24. I am not sure if that's even possible since that's usually done outbound and you can't NAT on pfSense IPSec "interfaces."

In the diagram linked below, you want the Remote Access clients to be able to connect to pfSense C LAN (really microtik LAN)? What about connections originating on pfSense C LAN? Do they need to be able to open connections/states in the other direction?

luke404 · Apr 27, 2015, 7:36 AM

@Derelict:

I believe you need another phase 2 entry for 192.168.254.0/24 <==> 192.168.10.0/24. This is easy between two pfSenses. I have no idea about the microtik.

No, the remote site does not know anything about the 192.168.254.0/24 subnet and cannot route anything to it. Packets from that network are allowed only on our local lan, any other destination would need them to be NATted.

@Derelict:

Otherwise I believe you have to NAT your OpenVPN connections to something on 10.10.10.0/24 for traffic destined for 192.168.10.0/24. I am not sure if that's even possible since that's usually done outbound and you can't NAT on pfSense IPSec "interfaces."

And that's exactly what I was trying to do, I thought it would NAT outbound on IPSec interfaces, that's even hinted in the docs.
I did try something with the "Local Network" fields in IPSec Phase2 without success, maybe I got something wrong there…

@Derelict:

In the diagram linked below, you want the Remote Access clients to be able to connect to pfSense C LAN (really microtik LAN)? What about connections originating on pfSense C LAN? Do they need to be able to open connections/states in the other direction?

Yes, I want OpenVPN Remote Access clients to be able to access the remote lan (microtik LAN in my case).
No, hosts on the microtik LAN will not spawn new connections to OpenVPN clients, only on our local LAN (pfSense A LAN in your diagram) and that's already working right now.

thank you

Derelict · Apr 28, 2015, 5:40 AM

It looks like I got this working. I just need to verify what needs to be done for a Phase 2 for the NAT from the OpenVPN remote access in addition to a Phase 2 for pfSense A LAN to pfSense C LAN.

Derelict · Apr 28, 2015, 5:49 AM

Yeah. Not quite sure what's up with this yet. I can get the OpenVPN Remote Access to NAT using 172.26.0.200 and access 172.28.4.100 but as soon as I add another Phase 2 for 172.26.0.0/24 <==> 172.28.4.0/24 pfSense A starts sending the previously-working NAT traffic out the default gateway instead. Not sure if you can do both. Hopefully someone chimes in.

luke404 · Apr 28, 2015, 2:10 PM

…and I should mention we actually have a lot of Phase2's for many different remote LANs, all on the same Phase1 :-\

eri-- · Apr 28, 2015, 5:00 PM

Can you try a snapshot from snapshots.pfsense.org and see if that fixes the issues with multiple P2 on a P1?

luke404 · Apr 28, 2015, 5:17 PM

@ermal:

Can you try a snapshot from snapshots.pfsense.org and see if that fixes the issues with multiple P2 on a P1?

As far as I can see those snapshots are only of pfSense-2.2.2 and we weren't able to succesfully set up the IPsec part (even with just one Phase2) with the remote Microtik when we tried 2.2.0 and 2.2.1. Now the system is in production and I can't bring it down, I will try to set up a parallel test with a second pfSense to that same Microtik but I guess it'll take a few weeks before we can do that :/

kapara · Feb 9, 2016, 10:06 AM

Did you ever get this resolved?

luke404 · Feb 9, 2016, 10:24 AM

We had to work around the issue in very little time so we just set up a second pfSense on the same LAN. The main one does everything except OpenVPN and the second one does just OpenVPN, so no problems in routing OpenVPN to/from IPSec on a single box. I hadn't had any other opportunity so far to re-test that kind of setup with a single pfSense system.

luke404 · Nov 8, 2017, 7:08 PM

I'm resurrecting this old thread because we've stumbled upon an identical situation (i.e. we need to NAT traffic from OpenVPN clients directed to a remote IPSec network).

As far as I can tell nothing has changed up to and including pfSense 2.4.x: can anyone confirm that it still is not possible in any way to NAT traffic coming in from OpenVPN clients with destination on a remote IPSec network?

(please do note that I cannot add another IPSec P2 to IPSec for the OpenVPN subnet)

thank you all.