I did this by setting up a 2nd pfSense box on a public IP on the DMZ interface of my primary pfSense. The secondary one runs OpenVPN only, for clients that need to connect across the IPSec tunnel running on the primary pfSense. The local network range of my IPSec tunnel is the WAN interface of my secondary pfSense. OpenVPN clients get an IP in whatever private range I choose, and the secondary pfSense box handles the NATing automatically.
I'd still like to be able to route local OpenVPN clients over an IPSec tunnel--I haven't got that working either. Can anyone give an example with more details of how they are successfully getting OpenVPN clients routed over an IPSec tunnel without using a second box like this? Thanks, Nate On Thu, Feb 4, 2010 at 11:53 AM, Chris Roubekas <croube...@cnr-web.com>wrote: > Ok. > > Had a chat with the other admin and apparently he is pretty stubborn and > honestly I don't really feel like exchange any more ideas with him.. > Can someone please assist me with steps on how to nat my OpenVPN users > through a LAN IP (which I am going to reserver for this reason) so that I > can finally connect them through the tunnel>?>? > > Thank you tons for all of your help and your understanding to this "crazy" > world that I am living in. > > C. > > ------------------------------ > *From:* Nathan Eisenberg [mailto:nat...@atlasnetworks.us] > *Sent:* Thursday, January 28, 2010 11:28 PM > > *To:* support@pfsense.com > *Subject:* RE: [pfSense Support] Route OpenVPN client requests through > IPSec tunnel > > I don’t know if it’s possible. It’s certainly not the right way to do > it, IMHO. The other sides’ administrator really just needs to create a > static route or accept RIP/BGP/whatever packets from you, so that his router > knows how to get to your openVPN network. It might not be under your > authority, but you at least have enough of a relationship to have an IPSec > tunnel, which means that something standard like adding a route isn’t really > out of the question. > > > > It’s a simple route problem – don’t make it complicated by adding NAT. If > you’re set on it, or if the other administrator won’t work with you, add a > NAT rule to make traffic originating from your openVPN network appear to > come from the routers IPSEC address. > > > > Best Regards, > > Nathan Eisenberg > > > > > > *From:* Chris Roubekas [mailto:croube...@cnr-web.com] > *Sent:* Thursday, January 28, 2010 12:20 PM > *To:* support@pfsense.com > *Subject:* RE: [pfSense Support] Route OpenVPN client requests through > IPSec tunnel > > > > I was told that NATing my OpenVPN clients to local LAN IP would do the > trick of avoiding the routing from the far side (as far side is not under my > authority). > > Can anyone tell me how to do this in pfSense?? > > C. > > > ------------------------------ > > *From:* Nathan Eisenberg [mailto:nat...@atlasnetworks.us] > *Sent:* Thursday, January 28, 2010 12:32 PM > *To:* support@pfsense.com > *Subject:* RE: [pfSense Support] Route OpenVPN client requests through > IPSec tunnel > > I’m betting that the machines in the other office do not have a route to > get to 10.99.99.0. Add a static route to the remote office gateway/IPSec > router, sending traffic bound for 10.99.99.0/x to your OpenVPN server. > The OpenVPN server will know where to send the traffic from there. > > > > Best Regards, > > Nathan Eisenberg > > Sr. Systems Administrator - Atlas Networks, LLC > > office: 206.577.3078 | suncadia: 206.210.5450 > > www.atlasnetworks.us | www.suncadianet.com > > > > *From:* Chris Roubekas [mailto:croube...@cnr-web.com] > *Sent:* Thursday, January 28, 2010 1:00 AM > *To:* support@pfsense.com > *Subject:* [pfSense Support] Route OpenVPN client requests through IPSec > tunnel > > > > Dear all, > > > > I have recently managed to create an IPSec tunnel between my office and > another one of the same company. > > > > The network topology is as follows: > > > > MyOffice: > > > > > > pfSense: LAN 10.100.100.0/255.255.255.0 > > WAN: 10.100.99.0/255.255.255.0 (connects to router for > internet) > > IPSec tunnel: 192.168.20.0/255.255.255.0 (this is the lan > of the other office. I can ping these machines from my local LAN). > > > > RoadWarrior OpenVPN (administered by pfSense). > > IP Range: 10.99.99.0 > > > > So far RoadWarrior clients can connect to the VPN and use all services on > my local LAN. The problem is I need the road warrior clients to be able to > use the machine of the IPSec Tunnel (192.168.20.0) as well. > > > > Any good ideas?? > > C. > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 4811 (20100127) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 4812 (20100128) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com >
