Openvpn – pfsense – route OpenVPN roadwarrior over IPSec to secondary office

ipsecopenvpnpfsense

Having some trouble connecting clients from one office to the other.

  (10.1.1.0/24)             (192.168.5.0/24)
   Office ONE  <--- IPSec ---> Office TWO
        ^
        |
        v
  Road Warrior 1 (OpenVPN client)
    (10.1.2.2)

I've added an extra P2:
VPN / IPsec / Tunnels / Edit Phase 2
tunnel 10.1.2.0/24 192.168.5.0/24 ESP

And I've also added to OpenVPN custom Options:
VPN / OpenVPN / Servers / Edit
push "route 192.168.5.0 255.255.255.0";

But still Road Warrior 1 can only ping servers in the 10.1.1.0/24 subnet.

Any idea what I'm missing or what I've done wrong? Both pfsense boxes.

Best Answer

For anyone Googling here with the same issue.

1) You must configure IPSec P2 with the following (reverse for Office B)

Mode    Local Subnet   Remote Subnet
tunnel  10.1.1.0/24    192.168.5.0/24  (to connect office A to office B)
tunnel  10.1.2.0/24    192.168.5.0/24  (to connect OpenVPN from A to office B)
tunnel  10.1.1.0/24    192.168.2.0/24  (to connect OpenVPN from B to office A)

2) You must open firewall (Firewall -> IPSec -> Rules)

Protocol    Source          Port    Destination Port    Gateway
IPv4 *      192.168.5.0/24  *       *           *       *
IPv4 *      192.168.2.0/24  *       *           *       *

3) Restart the IPSec service!

I failed to do this and it cost me 1h trying to dig what was wrong.

Related Solutions

Openvpn – pfSense Site-toSite VPN with OpenVPN connects but won’t route traffic

Here's what may be an issue. Imagine you have following network:

address pool: 10.1.1.0/255.255.255.0
router: 10.1.1.1
internal interface on internal vpn server: 10.1.1.2
some external machine that VPNs to network: 10.2.2.2
some internal client machine: 10.1.1.90

When you trying to access SIC from external VPN box, then traffic route goes like this:

10.2.2.2
vpn (internet)
10.1.1.2
10.1.1.90
OK

Seems fine, HOWEVER, in order for traffic to flow, the 10.1.1.90 machine should be able to respond and that means that packets from it must be routable to 10.2.2.2 too. Internal client has obviously ip: 10.1.1.90, mask: 255.255.255.0 and router: 10.1.1.90. Therefore, packets would be routed like this:

10.1.1.90
10.1.1.1 (sine it is router, and 10.2.2.2 is not directly addressable)
internet
NOT FOUND

Basically, reply packets will not even reach VPN. What can you do? Obviously, what will work is to add route to internal client to route all packets to 10.2.2.2 not to VPN box instead of router, such as (Windows box):

route add 10.2.2.0 mask 255.255.255.0 10.1.1.2

this will resolve the problem on single-machine level. Reply packets will go:

10.1.1.90
10.1.1.2 (explicit route)
vpn (internet)
10.2.2.2

To resolve issue on the network level, you must modify router in a same matter to redirect all traffic going to 10.2.2.0 to 10.1.1.2. This way reply packet will go:

10.1.1.90
10.1.1.1
10.1.1.2
vpn (internet)
10.2.2.2

Another solution is: make your VPN box to NAT on 10.1.1.2 interface. This way for internal machines it will look as if all the traffic originates from 10.1.1.2, and replies will go to 10.1.1.2. I would advise to go through routing though, since NAT will require additional resources on VPN box for connection tracker

Pfsense 2.0.2 racoon(ipsec vpn) unreliable

For anyone looking for resolution try this reference:

http://forum.pfsense.org/index.php?topic=44895.0

"To resolve this issue disable NAT-T (when pfsense holds the public IP). If that still does not help disable DPD and set 'Negotiation Mode' in Phase 1 to main"

Best Answer

Related Solutions

Openvpn – pfSense Site-toSite VPN with OpenVPN connects but won’t route traffic

Pfsense 2.0.2 racoon(ipsec vpn) unreliable

Related Topic