OpenVPN cannot reach IPSec

[Nico]

Hello,

I have the following setup running:

- the OPNsense has a working IPsec connection to Google cloud established via public Internet
- the OPNsense provides a working OpenVPN server
- the OPNsense provides direct LAN to local servers
- the local server can reach the IPsec IP subnet
- the OpenVPN clients cannot reach the IPsec IP subnet
- the firewall itself (using interface diagnostics) can't reach the IPsec subnet (ping an IP there)
- the IPsec subnet 10.242.108.0/24 has a route installed on the firewall pointing to the WAN Gateway which should be wrong in my eyes
- a traceroute via OpenVPN shows, that an attempt to reach a Google IPsec IP is routed via WAN and stops there
- a traceroute via LAN to IPSec is asked for, waiting for customer reply
- firewall permit rules are installed, the OpenVPN instances have a "permit any" but I suspect the issue to be the route

What else can I provide? Maybe someone already has an idea.


Best,
Nico

[Nico]

A traceroute Lan -> IPSec looks good:

mtr -r -i 0.1 -c 10 10.242.108.2
Start: Wed Sep 6 05:59:10 2017
HOST: gitlab1 Loss% Snt Last Avg Best Wrst StDev
1.|-- 10.242.106.1 0.0% 10 0.2 0.2 0.2 0.4 0.0
2.|-- 10.242.108.2 0.0% 10 2.0 2.0 1.9 2.6 0.0

[inc10521]

Hello Nico.

Did you make a second phase 2 with the ip range from you OpenVPN network?
If not, there is no way traffic is gonna pass towards your Google IP-Range at the others side of your ipsec tunnel :-)
If you have any questions, please ask.

Kind regards,

Marcel

[Nico]

Hi,

you are right, my Phase 2 entry only contains the local LAN subnet (just too much trees in the forest :-) ). However: I don't seem to be able to put multiple networks there and can alternatively only select the physical interface adapters (WAN network, LAN network, HA network) which will most likely not contain my OpenVPN instances I guess. How would you have multiple subnets installed at this point?

Thanks!

[Nico]

Replying myself: seems like I need several Phase 2 entries for that.

[inc10521]

Yep, thats the right way! One phase 1 and multiple phase 2's

Let me know if you need more help. :-)

[franco]

Hi Nico,

Since 17.7.1, you can add "Manual SPD entries" per Phase 2:

Register additional Security Policy Database entries

Strongswan automatically creates SPD policies for the networks defined in this phase2. If you need to allow other networks to use this ipsec tunnel, you can add them here as a comma seperated list.When configured, you can use network address translation to push packets through this tunnel from these networks.
e.g. 192.168.1.0/24, 192.168.2.0/24

Cheers,
Franco

[Nico]

Hehe great timing for me and my problem, we will definitively test that - thanks!