OVPN Roadwarrior to IPSec Net2Net (again)

Hi,

i had this question in the past but know we get an additional customer and it is getting more important.

Start:
We have a IPFire server with an 192.168.2.0/24 internal network running.
This machine handles the Ovpn road warrior connections with a 10.251.150/24 network.

The server also handles (at the moment) two IPSec net2net connections.

The users in the internal network can connect to the machines in the IPsec networks and the machines in the IPSec networks can connect to the machines in the internal network. The road warriors can also connect to the internal machines.

In the IPsec connection settings i set the local network and the ovpn network addresses separated by comma as local network. On the IPSec router i set the internal and the Ovpn network as remote network.
The Ovpn server pushes the two IPsec networks as additional networks.

On the IPFire server a created two firewall rules:

  1. rule
    from: “standard-network - OVPN”
    NAT - source-NAT - green Interface IP
    to: IPsec-network - one of the remote networks
    protocoll: all

  2. rule:
    from: IPsec-network - the remote network
    NAT - source-NAT - green Interface IP
    to: “standard-network - OVPN”
    protocol: all

Now i connect as road warrior and check my routes:
Kernel IP Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 600 0 0 wlo1
10.234.16.0 10.251.150.5 255.255.255.0 UG 50 0 0 tun0
10.234.72.0 10.251.150.5 255.255.248.0 UG 50 0 0 tun0
10.251.150.1 10.251.150.5 255.255.255.255 UGH 50 0 0 tun0
10.251.150.5 0.0.0.0 255.255.255.255 UH 50 0 0 tun0
192.168.2.0 10.251.150.5 255.255.255.0 UG 50 0 0 tun0

Looks good, all networks known and should be routet over the tun interface.
If i try to connect to a server in the 10.234.72.0/21 network from the road warrior:
ssh: connect to host 10.234.73.21 port 22: Network is unreachable

A traceroute shows this:
traceroute to 10.234.73.21 (10.234.73.21), 30 hops max, 60 byte packets
1 10.251.150.1 (10.251.150.1) 46.993 ms 94.990 ms 94.977 ms
2 10.251.150.1 (10.251.150.1) 94.952 ms !N 94.922 ms !N 94.888 ms !N

→ the OVPN connection is used.

From the internal network the connect is working.

Ideas or do you need additional infos to get an overview what i have done or there my mistake is?

Best

Silvio

Hi,

not yet, but I am running precisely the same setup, using OpenVPN for roadwarriors, and IPsec to connect several organisation sites/headquaters to each other.

I will dig deeper into this and get back to you…

Thanks, and best regards,
Peter MĂĽller

1 Like

Here as info the created iptables rules:
10.234.16.xx and 10.234.72.xx are the extrenal ipsec networks.

Chain FORWARDFW (1 references)
target prot opt source destination
LOG all – 10.234.72.0/21 10.251.150.0/24 limit: avg 10/sec burst 20 LOG level warning prefix "FORWARDFW "
ACCEPT all – 10.234.72.0/21 10.251.150.0/24
LOG all – 10.251.150.0/24 10.234.72.0/21 limit: avg 10/sec burst 20 LOG level warning prefix "FORWARDFW "
ACCEPT all – 10.251.150.0/24 10.234.72.0/21
LOG all – 10.234.16.0/24 10.251.150.0/24 limit: avg 10/sec burst 20 LOG level warning prefix "FORWARDFW "
ACCEPT all – 10.234.16.0/24 10.251.150.0/24
LOG all – 10.251.150.0/24 10.234.16.0/24 limit: avg 10/sec burst 20 LOG level warning prefix "FORWARDFW "
ACCEPT all – 10.251.150.0/24 10.234.16.0/24
LOG all – 10.234.72.0/21 10.234.16.0/24 limit: avg 10/sec burst 20 LOG level warning prefix "FORWARDFW "
ACCEPT all – 10.234.72.0/21 10.234.16.0/24
LOG all – 10.234.16.0/24 10.234.72.0/21 limit: avg 10/sec burst 20 LOG level warning prefix "FORWARDFW "
ACCEPT all – 10.234.16.0/24 10.234.72.0/21

Silvio

Have you added your networks as CUSTOMFORWARD rules to
/etc/sysconfig/firewall.local
? This is a must for this to work, it’s not possible to make it work through the GUI only.

Hei,

thanks for this info i have done all the steps over the GUI …
I started with the IPSec docu from the Wiki:

and configured also the “hub and spoke” configuration:

The discription here uses the GUI and is also not working in my case.

So i will do a step back and start again, only with the OVPN to IPSec config.

Thanks again for these info

Silvio

If I am understanding your networks correctly, you should replace/add this to the file:

case "$1" in
  start)
        ## add your 'start' rules here
        iptables -t filter -A CUSTOMFORWARD -s 10.251.150.0/24 -d 10.234.16.0/24 -j ACCEPT
        iptables -t filter -A CUSTOMFORWARD -s 10.251.150.0/24 -d 10.234.72.0/24 -j ACCEPT
        ;;
  stop)
        ## add your 'stop' rules here
        iptables -t filter -D CUSTOMFORWARD -s 10.251.150.0/24 -d 10.234.16.0/24 -j ACCEPT
        iptables -t filter -D CUSTOMFORWARD -s 10.251.150.0/24 -d 10.234.72.0/24 -j ACCEPT
        ;;
  reload)

But the rest looks correct and you do not have to start over in that case. Just add this and restart ipfire or apply these rules.

1 Like

Hi,

it works!
Thanks a lot for this.

If i understand it right my failure was that i was thinking i have to put a rule over the GUI OR over the local script but i have to do it on both points.

And again thank you → problem solved and learned something

Silvio

1 Like

Well no, this is undocumented. The “hub and spoke” only applies to ipsec nets, but that won’t work alone with OpenVPN – if I were to be guessing, because of the multi-IP-hopping of OpenVPN (every client consumes four addresses). I found this solution a few years ago in an old forum post somewhere, I think in the old German forum, and I can no longer find it.

So it was hard for you to guess the solution indeed :wink:

1 Like