Discussion:
[pfSense] Route OpenVPN traffic to the available IPSec tunnels
Lorenzo Milesi
2014-12-24 11:15:54 UTC
Permalink
Hi. Is it possible to route OpenVPN clients to the available IPSec routes?

I currently have 3 IPSec tunnels on my pfSense, and seldomly I need to access those routes outiside my office. Is it possible to do so?
In my firewall rules I have no restrictions, all traffic is allowed. I tried adding the route manually but apparently this is not enough because pfSense won't route my packets to the tunnel. Has this something to do with IPSec's phase2 entry?

thanks
--
Lorenzo Milesi - ***@yetopen.it

YetOpen S.r.l. - http://www.yetopen.it/
Chris Buechler
2014-12-26 21:59:08 UTC
Permalink
Post by Lorenzo Milesi
Hi. Is it possible to route OpenVPN clients to the available IPSec routes?
I currently have 3 IPSec tunnels on my pfSense, and seldomly I need to access those routes outiside my office. Is it possible to do so?
In my firewall rules I have no restrictions, all traffic is allowed. I tried adding the route manually but apparently this is not enough because pfSense won't route my packets to the tunnel. Has this something to do with IPSec's phase2 entry?
Yes, the P2 must match local+remote on both ends for the OpenVPN
tunnel network in order for the traffic to go across.
Bryan D.
2014-12-26 23:43:32 UTC
Permalink
Post by Lorenzo Milesi
Hi. Is it possible to route OpenVPN clients to the available IPSec routes?
I currently have 3 IPSec tunnels on my pfSense, and seldomly I need to access those routes outiside my office. Is it possible to do so?
In my firewall rules I have no restrictions, all traffic is allowed. I tried adding the route manually but apparently this is not enough because pfSense won't route my packets to the tunnel. Has this something to do with IPSec's phase2 entry?
See "5. Routing OpenVPN through IPSec VPN on pfSense" at
http://www.derman.com/blogs/IPSec-VPN-Firewall-Setup#RouteOpenVPNthruIPsec

(same approach required if multiple LANs are involved and one or more systems/subnets require access to multiple remotely located LANs)
Loading...