Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
[SOLVED] OpenVPN traffic not routed over IPsec site2site tunnel
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED] OpenVPN traffic not routed over IPsec site2site tunnel (Read 797 times)
clownschiff
Newbie
Posts: 15
Karma: 1
[SOLVED] OpenVPN traffic not routed over IPsec site2site tunnel
«
on:
May 24, 2024, 11:07:39 am »
Hi all,
I have a problemwith a firewall setup and don't know exactly how to solve this.
There is a OPNsense firewall (B) doing client VPN via OpenVPN. The firewall (B) also has a IPsec site2site tunnel to a different location (A). The problem is, that the traffic coming from the OpenVPN net is not routed over the site2site tunnel if the target is in the remote location (A).
[Location A] <----- IPsec site2site -----> [Location B OPNsense] <----- OpenVPN clients
Location A:
- 192.168.50.0/24
Location B:
- 192.168.248.0/24
OpenVPN net:
- 10.200.13.0/24
- pushed routes 192.168.50.0/24,192.168.248.0/24
If I ping a host on location B from the OpenVPN client it works. If I ping a host on location A the packet is directly routed over the WAN interface of the OPNsense and never enters the IPsec tunnel.
Can someone help me identifying this problem?
«
Last Edit: May 24, 2024, 03:00:12 pm by clownschiff
»
Logged
Patrick M. Hausen
Hero Member
Posts: 6812
Karma: 572
Re: OpenVPN traffic not routed over IPsec site2site tunnel
«
Reply #1 on:
May 24, 2024, 11:32:44 am »
Is the OpenVPN network part of the phase 2 SA on both sides of the VPN tunnel?
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
clownschiff
Newbie
Posts: 15
Karma: 1
Re: OpenVPN traffic not routed over IPsec site2site tunnel
«
Reply #2 on:
May 24, 2024, 11:42:14 am »
Thank you for your reply!
It isn't at the moment. My idea was to use outbound NAT for the OpenVPN net with the LAN IP to bypass this, because I have no access to the firewall on location A. Is this a bad idea or even possible?
Logged
Patrick M. Hausen
Hero Member
Posts: 6812
Karma: 572
Re: OpenVPN traffic not routed over IPsec site2site tunnel
«
Reply #3 on:
May 24, 2024, 12:38:44 pm »
The policy based routing decision is made before NAT is applied. You need to add a manual SPD entry on your side.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
clownschiff
Newbie
Posts: 15
Karma: 1
Re: OpenVPN traffic not routed over IPsec site2site tunnel
«
Reply #4 on:
May 24, 2024, 01:28:40 pm »
Thank you very much for your input!
I have set up a test connection (location B to location C) with an IPsec site2site tunnel to see what is going on the other side (C). The SPD entry worked and the traffic was routed through the tunnel, although the traffic never reached the LAN interface on location C. So pinging the firewall C didn't work, although the firewall rules would allow it.
When I add a normal Phase 2 entry for the OpenVPN net it works though. Am I missing something with SPD entry?
Logged
Patrick M. Hausen
Hero Member
Posts: 6812
Karma: 572
Re: OpenVPN traffic not routed over IPsec site2site tunnel
«
Reply #5 on:
May 24, 2024, 01:43:57 pm »
I have a very similar setup, only difference being I use WireGuard instead of OpenVPN.
See screenshots - the key part is the manual ReqID that must match. It tells the system which phase 2 SA the manual SPD entry should be piggybacked on.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
clownschiff
Newbie
Posts: 15
Karma: 1
Re: OpenVPN traffic not routed over IPsec site2site tunnel
«
Reply #6 on:
May 24, 2024, 02:59:54 pm »
Thank you very much. That worked!
I still used the legacy GUI for the IPsec tunnel (shame on me), but I reconfigured it in the new interface with your settings and now it works.
Thank you!
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
[SOLVED] OpenVPN traffic not routed over IPsec site2site tunnel
