Come in via OpenVPN then get to remote side of IPSec

I have a client-to-site VPN through OpenVPN and an IPSec Site-to-Site VPN.

Thought the OpenVPN a desktop can access the local devices on LAN and LAN2.

Devices on those local networks can access the network on the remote side of the Site-to-Site VPN.

I added the remote network range for the S2S VPN to OpenVPN and reconnected. The remote network now appears in my PC’s route table.

However I’m not able to connect to the devices on the remote network.

Seems like I’m missing a step. Ideas?

Have you added the OpenVPN subnet to your IPsec policy? Or setup NAT ? One of those two should fix your issue

Thanks for the response!

I tried adding the OpenVPN subnet to a P2 for the IPSec policy. It did not seem to matter.

Then I noticed the first P2 was for “Lan” and not a network. OpenVPN is not in the list, so I tried adding it under Interfaces to see if it would then appear as an option for IPsec. This broke OpenVPN so I backed out the Interface and P2 for OpenVPN.

I’d like to set up NAT but do not know how to do that on the PfSense. Presumably, the NAT would convert the IP range of the OpenVPN tunnel to a few addresses in the Lan range that are not in use. Do you know where I could see an example?

  1. You need to have the openVPN subs net in your phase 2 on the current firewall and peer firewall

  2. You need to allow the OpenVPN interface to talk to the peer subnet on the current firewall

  3. Allow the IPsec interface rule to allow traffic from your OpenVPN subnet on the peer firewall