RE: [pfSense Support] Route OpenVPN client requests through IPSec tunnel
I'm betting that the machines in the other office do not have a route to get to 10.99.99.0. Add a static route to the remote office gateway/IPSec router, sending traffic bound for 10.99.99.0/x to your OpenVPN server. The OpenVPN server will know where to send the traffic from there. Best Regards, Nathan Eisenberg Sr. Systems Administrator - Atlas Networks, LLC office: 206.577.3078 | suncadia: 206.210.5450 www.atlasnetworks.us | www.suncadianet.com From: Chris Roubekas [mailto:croube...@cnr-web.com] Sent: Thursday, January 28, 2010 1:00 AM To: support@pfsense.com Subject: [pfSense Support] Route OpenVPN client requests through IPSec tunnel Dear all, I have recently managed to create an IPSec tunnel between my office and another one of the same company. The network topology is as follows: MyOffice: pfSense: LAN 10.100.100.0/255.255.255.0 WAN: 10.100.99.0/255.255.255.0 (connects to router for internet) IPSec tunnel: 192.168.20.0/255.255.255.0 (this is the lan of the other office. I can ping these machines from my local LAN). RoadWarrior OpenVPN (administered by pfSense). IP Range: 10.99.99.0 So far RoadWarrior clients can connect to the VPN and use all services on my local LAN. The problem is I need the road warrior clients to be able to use the machine of the IPSec Tunnel (192.168.20.0) as well. Any good ideas?? C. __ Information from ESET NOD32 Antivirus, version of virus signature database 4811 (20100127) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
RE: [pfSense Support] Route OpenVPN client requests through IPSec tunnel
On Thu, January 28, 2010 11:31 am, Nathan Eisenberg wrote: > I'm betting that the machines in the other office do not have a route to > get to 10.99.99.0. Add a static route to the remote office gateway/IPSec > router, sending traffic bound for 10.99.99.0/x to your OpenVPN server. > The OpenVPN server will know where to send the traffic from there. > Also, do not forget to add it to the Phase2 negotiations. If you are not exporting the 10.99.99.x network as being "behind the tunnel" (from the sattelite location); then you can route it through the tunnel, but it wont work. (This might be different if you are securing the link between the machines, this likely needs an gif/gre interface, which can be used for routing). Cheers, Remko -- /"\ Best regards, | re...@freebsd.org \ / Remko Lodder | re...@efnet Xhttp://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Route OpenVPN client requests through IPSec tunnel
I was told that NATing my OpenVPN clients to local LAN IP would do the trick of avoiding the routing from the far side (as far side is not under my authority). Can anyone tell me how to do this in pfSense?? C. _ From: Nathan Eisenberg [mailto:nat...@atlasnetworks.us] Sent: Thursday, January 28, 2010 12:32 PM To: support@pfsense.com Subject: RE: [pfSense Support] Route OpenVPN client requests through IPSec tunnel I'm betting that the machines in the other office do not have a route to get to 10.99.99.0. Add a static route to the remote office gateway/IPSec router, sending traffic bound for 10.99.99.0/x to your OpenVPN server. The OpenVPN server will know where to send the traffic from there. Best Regards, Nathan Eisenberg Sr. Systems Administrator - Atlas Networks, LLC office: 206.577.3078 | suncadia: 206.210.5450 www.atlasnetworks.us | www.suncadianet.com From: Chris Roubekas [mailto:croube...@cnr-web.com] Sent: Thursday, January 28, 2010 1:00 AM To: support@pfsense.com Subject: [pfSense Support] Route OpenVPN client requests through IPSec tunnel Dear all, I have recently managed to create an IPSec tunnel between my office and another one of the same company. The network topology is as follows: MyOffice: pfSense: LAN 10.100.100.0/255.255.255.0 WAN: 10.100.99.0/255.255.255.0 (connects to router for internet) IPSec tunnel: 192.168.20.0/255.255.255.0 (this is the lan of the other office. I can ping these machines from my local LAN). RoadWarrior OpenVPN (administered by pfSense). IP Range: 10.99.99.0 So far RoadWarrior clients can connect to the VPN and use all services on my local LAN. The problem is I need the road warrior clients to be able to use the machine of the IPSec Tunnel (192.168.20.0) as well. Any good ideas?? C. __ Information from ESET NOD32 Antivirus, version of virus signature database 4811 (20100127) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4812 (20100128) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
RE: [pfSense Support] Route OpenVPN client requests through IPSec tunnel
I don't know if it's possible. It's certainly not the right way to do it, IMHO. The other sides' administrator really just needs to create a static route or accept RIP/BGP/whatever packets from you, so that his router knows how to get to your openVPN network. It might not be under your authority, but you at least have enough of a relationship to have an IPSec tunnel, which means that something standard like adding a route isn't really out of the question. It's a simple route problem - don't make it complicated by adding NAT. If you're set on it, or if the other administrator won't work with you, add a NAT rule to make traffic originating from your openVPN network appear to come from the routers IPSEC address. Best Regards, Nathan Eisenberg From: Chris Roubekas [mailto:croube...@cnr-web.com] Sent: Thursday, January 28, 2010 12:20 PM To: support@pfsense.com Subject: RE: [pfSense Support] Route OpenVPN client requests through IPSec tunnel I was told that NATing my OpenVPN clients to local LAN IP would do the trick of avoiding the routing from the far side (as far side is not under my authority). Can anyone tell me how to do this in pfSense?? C. From: Nathan Eisenberg [mailto:nat...@atlasnetworks.us] Sent: Thursday, January 28, 2010 12:32 PM To: support@pfsense.com Subject: RE: [pfSense Support] Route OpenVPN client requests through IPSec tunnel I'm betting that the machines in the other office do not have a route to get to 10.99.99.0. Add a static route to the remote office gateway/IPSec router, sending traffic bound for 10.99.99.0/x to your OpenVPN server. The OpenVPN server will know where to send the traffic from there. Best Regards, Nathan Eisenberg Sr. Systems Administrator - Atlas Networks, LLC office: 206.577.3078 | suncadia: 206.210.5450 www.atlasnetworks.us | www.suncadianet.com From: Chris Roubekas [mailto:croube...@cnr-web.com] Sent: Thursday, January 28, 2010 1:00 AM To: support@pfsense.com Subject: [pfSense Support] Route OpenVPN client requests through IPSec tunnel Dear all, I have recently managed to create an IPSec tunnel between my office and another one of the same company. The network topology is as follows: MyOffice: pfSense: LAN 10.100.100.0/255.255.255.0 WAN: 10.100.99.0/255.255.255.0 (connects to router for internet) IPSec tunnel: 192.168.20.0/255.255.255.0 (this is the lan of the other office. I can ping these machines from my local LAN). RoadWarrior OpenVPN (administered by pfSense). IP Range: 10.99.99.0 So far RoadWarrior clients can connect to the VPN and use all services on my local LAN. The problem is I need the road warrior clients to be able to use the machine of the IPSec Tunnel (192.168.20.0) as well. Any good ideas?? C. __ Information from ESET NOD32 Antivirus, version of virus signature database 4811 (20100127) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4812 (20100128) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
Re: [pfSense Support] Route OpenVPN client requests through IPSec tunnel
On Thu, Jan 28, 2010 at 3:20 PM, Chris Roubekas wrote: > I was told that NATing my OpenVPN clients to local LAN IP would do the trick > of avoiding the routing from the far side (as far side is not under my > authority). > Can anyone tell me how to do this in pfSense?? Yes but that's a hack. I'm not sure if it would work in combination with IPsec, I know it works for routing traffic into the LAN, or across other OpenVPN connections. If you add outbound NAT on LAN for the source of the OpenVPN IPs it'll work for traffic going into LAN, not sure about traffic leaving over IPsec. You never add static routes in combination with IPsec (short of the one exclusion for traffic initiated by the firewall itself detailed in the FAQ), they won't do anything, traffic must match the SPD which is strictly what you configure in the tunnel local/remote. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Route OpenVPN client requests through IPSec tunnel
Ok. Had a chat with the other admin and apparently he is pretty stubborn and honestly I don't really feel like exchange any more ideas with him.. Can someone please assist me with steps on how to nat my OpenVPN users through a LAN IP (which I am going to reserver for this reason) so that I can finally connect them through the tunnel>?>? Thank you tons for all of your help and your understanding to this "crazy" world that I am living in. C. _ From: Nathan Eisenberg [mailto:nat...@atlasnetworks.us] Sent: Thursday, January 28, 2010 11:28 PM To: support@pfsense.com Subject: RE: [pfSense Support] Route OpenVPN client requests through IPSec tunnel I don't know if it's possible. It's certainly not the right way to do it, IMHO. The other sides' administrator really just needs to create a static route or accept RIP/BGP/whatever packets from you, so that his router knows how to get to your openVPN network. It might not be under your authority, but you at least have enough of a relationship to have an IPSec tunnel, which means that something standard like adding a route isn't really out of the question. It's a simple route problem - don't make it complicated by adding NAT. If you're set on it, or if the other administrator won't work with you, add a NAT rule to make traffic originating from your openVPN network appear to come from the routers IPSEC address. Best Regards, Nathan Eisenberg From: Chris Roubekas [mailto:croube...@cnr-web.com] Sent: Thursday, January 28, 2010 12:20 PM To: support@pfsense.com Subject: RE: [pfSense Support] Route OpenVPN client requests through IPSec tunnel I was told that NATing my OpenVPN clients to local LAN IP would do the trick of avoiding the routing from the far side (as far side is not under my authority). Can anyone tell me how to do this in pfSense?? C. _ From: Nathan Eisenberg [mailto:nat...@atlasnetworks.us] Sent: Thursday, January 28, 2010 12:32 PM To: support@pfsense.com Subject: RE: [pfSense Support] Route OpenVPN client requests through IPSec tunnel I'm betting that the machines in the other office do not have a route to get to 10.99.99.0. Add a static route to the remote office gateway/IPSec router, sending traffic bound for 10.99.99.0/x to your OpenVPN server. The OpenVPN server will know where to send the traffic from there. Best Regards, Nathan Eisenberg Sr. Systems Administrator - Atlas Networks, LLC office: 206.577.3078 | suncadia: 206.210.5450 www.atlasnetworks.us | www.suncadianet.com From: Chris Roubekas [mailto:croube...@cnr-web.com] Sent: Thursday, January 28, 2010 1:00 AM To: support@pfsense.com Subject: [pfSense Support] Route OpenVPN client requests through IPSec tunnel Dear all, I have recently managed to create an IPSec tunnel between my office and another one of the same company. The network topology is as follows: MyOffice: pfSense: LAN 10.100.100.0/255.255.255.0 WAN: 10.100.99.0/255.255.255.0 (connects to router for internet) IPSec tunnel: 192.168.20.0/255.255.255.0 (this is the lan of the other office. I can ping these machines from my local LAN). RoadWarrior OpenVPN (administered by pfSense). IP Range: 10.99.99.0 So far RoadWarrior clients can connect to the VPN and use all services on my local LAN. The problem is I need the road warrior clients to be able to use the machine of the IPSec Tunnel (192.168.20.0) as well. Any good ideas?? C. __ Information from ESET NOD32 Antivirus, version of virus signature database 4811 (20100127) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4812 (20100128) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
Re: [pfSense Support] Route OpenVPN client requests through IPSec tunnel
I did this by setting up a 2nd pfSense box on a public IP on the DMZ interface of my primary pfSense. The secondary one runs OpenVPN only, for clients that need to connect across the IPSec tunnel running on the primary pfSense. The local network range of my IPSec tunnel is the WAN interface of my secondary pfSense. OpenVPN clients get an IP in whatever private range I choose, and the secondary pfSense box handles the NATing automatically. I'd still like to be able to route local OpenVPN clients over an IPSec tunnel--I haven't got that working either. Can anyone give an example with more details of how they are successfully getting OpenVPN clients routed over an IPSec tunnel without using a second box like this? Thanks, Nate On Thu, Feb 4, 2010 at 11:53 AM, Chris Roubekas wrote: > Ok. > > Had a chat with the other admin and apparently he is pretty stubborn and > honestly I don't really feel like exchange any more ideas with him.. > Can someone please assist me with steps on how to nat my OpenVPN users > through a LAN IP (which I am going to reserver for this reason) so that I > can finally connect them through the tunnel>?>? > > Thank you tons for all of your help and your understanding to this "crazy" > world that I am living in. > > C. > > -- > *From:* Nathan Eisenberg [mailto:nat...@atlasnetworks.us] > *Sent:* Thursday, January 28, 2010 11:28 PM > > *To:* support@pfsense.com > *Subject:* RE: [pfSense Support] Route OpenVPN client requests through > IPSec tunnel > > I don’t know if it’s possible. It’s certainly not the right way to do > it, IMHO. The other sides’ administrator really just needs to create a > static route or accept RIP/BGP/whatever packets from you, so that his router > knows how to get to your openVPN network. It might not be under your > authority, but you at least have enough of a relationship to have an IPSec > tunnel, which means that something standard like adding a route isn’t really > out of the question. > > > > It’s a simple route problem – don’t make it complicated by adding NAT. If > you’re set on it, or if the other administrator won’t work with you, add a > NAT rule to make traffic originating from your openVPN network appear to > come from the routers IPSEC address. > > > > Best Regards, > > Nathan Eisenberg > > > > > > *From:* Chris Roubekas [mailto:croube...@cnr-web.com] > *Sent:* Thursday, January 28, 2010 12:20 PM > *To:* support@pfsense.com > *Subject:* RE: [pfSense Support] Route OpenVPN client requests through > IPSec tunnel > > > > I was told that NATing my OpenVPN clients to local LAN IP would do the > trick of avoiding the routing from the far side (as far side is not under my > authority). > > Can anyone tell me how to do this in pfSense?? > > C. > > > ---------- > > *From:* Nathan Eisenberg [mailto:nat...@atlasnetworks.us] > *Sent:* Thursday, January 28, 2010 12:32 PM > *To:* support@pfsense.com > *Subject:* RE: [pfSense Support] Route OpenVPN client requests through > IPSec tunnel > > I’m betting that the machines in the other office do not have a route to > get to 10.99.99.0. Add a static route to the remote office gateway/IPSec > router, sending traffic bound for 10.99.99.0/x to your OpenVPN server. > The OpenVPN server will know where to send the traffic from there. > > > > Best Regards, > > Nathan Eisenberg > > Sr. Systems Administrator - Atlas Networks, LLC > > office: 206.577.3078 | suncadia: 206.210.5450 > > www.atlasnetworks.us | www.suncadianet.com > > > > *From:* Chris Roubekas [mailto:croube...@cnr-web.com] > *Sent:* Thursday, January 28, 2010 1:00 AM > *To:* support@pfsense.com > *Subject:* [pfSense Support] Route OpenVPN client requests through IPSec > tunnel > > > > Dear all, > > > > I have recently managed to create an IPSec tunnel between my office and > another one of the same company. > > > > The network topology is as follows: > > > > MyOffice: > > > > > > pfSense: LAN 10.100.100.0/255.255.255.0 > > WAN: 10.100.99.0/255.255.255.0 (connects to router for > internet) > > IPSec tunnel: 192.168.20.0/255.255.255.0 (this is the lan > of the other office. I can ping these machines from my local LAN). > > > > RoadWarrior OpenVPN (administered by pfSense). > > IP Range: 10.99.99.0 > > > > So far RoadWarrior clients can connect to the VPN and use all services on > my local LAN. The problem is I need the road warrior clients to be able to > use the machine of the IPSec Tunnel (192.168.20.0) as well. > > > > Any good ideas?? > > C. > > > > __ Information from ESET NOD32 Antivirus, version of virus > signature database 4811 (20100127) __ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > > __ Information from ESET NOD32 Antivirus, version of virus > signature database 4812 (20100128) __ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com >
