[SOLVED] OpenVPN traffic not routed over IPsec site2site tunnel

Started by clownschiff, May 24, 2024, 11:07:39 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 24, 2024, 11:07:39 AM Last Edit: May 24, 2024, 03:00:12 PM by clownschiff
Hi all,

I have a problemwith a firewall setup and don't know exactly how to solve this.

There is a OPNsense firewall (B) doing client VPN via OpenVPN. The firewall (B) also has a IPsec site2site tunnel to a different location (A). The problem is, that the traffic coming from the OpenVPN net is not routed over the site2site tunnel if the target is in the remote location (A).

[Location A] <----- IPsec site2site -----> [Location B OPNsense] <----- OpenVPN clients

Location A:
- 192.168.50.0/24

Location B:
- 192.168.248.0/24

OpenVPN net:
- 10.200.13.0/24
- pushed routes 192.168.50.0/24,192.168.248.0/24

If I ping a host on location B from the OpenVPN client it works. If I ping a host on location A the packet is directly routed over the WAN interface of the OPNsense and never enters the IPsec tunnel.

Can someone help me identifying this problem?
May 24, 2024, 11:32:44 AM #1
Is the OpenVPN network part of the phase 2 SA on both sides of the VPN tunnel?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 24, 2024, 11:42:14 AM #2
Thank you for your reply!

It isn't at the moment. My idea was to use outbound NAT for the OpenVPN net with the LAN IP to bypass this, because I have no access to the firewall on location A. Is this a bad idea or even possible?
May 24, 2024, 12:38:44 PM #3
The policy based routing decision is made before NAT is applied. You need to add a manual SPD entry on your side.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 24, 2024, 01:28:40 PM #4
Thank you very much for your input!

I have set up a test connection (location B to location C) with an IPsec site2site tunnel to see what is going on the other side (C). The SPD entry worked and the traffic was routed through the tunnel, although the traffic never reached the LAN interface on location C. So pinging the firewall C didn't work, although the firewall rules would allow it.

When I add a normal Phase 2 entry for the OpenVPN net it works though. Am I missing something with SPD entry?
May 24, 2024, 01:43:57 PM #5
I have a very similar setup, only difference being I use WireGuard instead of OpenVPN.

See screenshots - the key part is the manual ReqID that must match. It tells the system which phase 2 SA the manual SPD entry should be piggybacked on.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 24, 2024, 02:59:54 PM #6
Thank you very much. That worked!

I still used the legacy GUI for the IPsec tunnel (shame on me), but I reconfigured it in the new interface with your settings and now it works.

Thank you! :)
Print
Go Up Pages1
User actions