OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: Nico on September 05, 2017, 11:51:04 pm

Title: OpenVPN cannot reach IPSec
Post by: Nico on September 05, 2017, 11:51:04 pm

Hello,

I have the following setup running:

- the OPNsense has a working IPsec connection to Google cloud established via public Internet
- the OPNsense provides a working OpenVPN server
- the OPNsense provides direct LAN to local servers
- the local server can reach the IPsec IP subnet
- the OpenVPN clients cannot reach the IPsec IP subnet
- the firewall itself (using interface diagnostics) can't reach the IPsec subnet (ping an IP there)
- the IPsec subnet 10.242.108.0/24 has a route installed on the firewall pointing to the WAN Gateway which should be wrong in my eyes
- a traceroute via OpenVPN shows, that an attempt to reach a Google IPsec IP is routed via WAN and stops there
- a traceroute via LAN to IPSec is asked for, waiting for customer reply
- firewall permit rules are installed, the OpenVPN instances have a "permit any" but I suspect the issue to be the route

What else can I provide? Maybe someone already has an idea.


Best,
Nico

Title: Re: OpenVPN cannot reach IPSec
Post by: Nico on September 06, 2017, 11:06:57 am

A traceroute Lan -> IPSec looks good:

mtr -r -i 0.1 -c 10 10.242.108.2
Start: Wed Sep 6 05:59:10 2017
HOST: gitlab1 Loss% Snt Last Avg Best Wrst StDev
1.|-- 10.242.106.1 0.0% 10 0.2 0.2 0.2 0.4 0.0
2.|-- 10.242.108.2 0.0% 10 2.0 2.0 1.9 2.6 0.0

Title: Re: OpenVPN cannot reach IPSec
Post by: inc10521 on September 06, 2017, 11:08:34 am

Hello Nico.

Did you make a second phase 2 with the ip range from you OpenVPN network?
If not, there is no way traffic is gonna pass towards your Google IP-Range at the others side of your ipsec tunnel :-)
If you have any questions, please ask.

Kind regards,

Marcel

Title: Re: OpenVPN cannot reach IPSec
Post by: Nico on September 06, 2017, 12:39:22 pm

Hi,

you are right, my Phase 2 entry only contains the local LAN subnet (just too much trees in the forest :-) ). However: I don't seem to be able to put multiple networks there and can alternatively only select the physical interface adapters (WAN network, LAN network, HA network) which will most likely not contain my OpenVPN instances I guess. How would you have multiple subnets installed at this point?

Thanks!

Title: Re: OpenVPN cannot reach IPSec
Post by: Nico on September 06, 2017, 03:35:59 pm

Replying myself: seems like I need several Phase 2 entries for that.

Title: Re: OpenVPN cannot reach IPSec
Post by: inc10521 on September 07, 2017, 05:47:33 pm

Yep, thats the right way! One phase 1 and multiple phase 2's

Let me know if you need more help. :-)

Title: Re: OpenVPN cannot reach IPSec
Post by: franco on September 09, 2017, 04:55:08 pm

Hi Nico,

Since 17.7.1, you can add "Manual SPD entries" per Phase 2:

Quote

Register additional Security Policy Database entries

Strongswan automatically creates SPD policies for the networks defined in this phase2. If you need to allow other networks to use this ipsec tunnel, you can add them here as a comma seperated list.When configured, you can use network address translation to push packets through this tunnel from these networks.
e.g. 192.168.1.0/24, 192.168.2.0/24

Cheers,
Franco

Title: Re: OpenVPN cannot reach IPSec
Post by: Nico on September 10, 2017, 12:51:05 pm

Hehe great timing for me and my problem, we will definitively test that - thanks!