OpenVPN RA - route traffic down existing S2S IPSec VPN (2024)

Before I go down a rabbit hole, can anyone confirm whether it is possible to do the following:

Current setup

1. IPSec tunnel already in place and working fine between SiteA and SiteB with associated P2's (all /32's) using NAT/BINAT xlate set to "whole network" and an associated /24 used
2. SiteA is a Netgate appliance and SiteB is Checkpoint (I think this point is moot in this context tbh).

What I want to do

1. OpenVPN client connects to SiteA (works fine for hosts on the local LAN)
2. OpenVPN client is able to connect to hosts in SiteB via the existing in place IPSec VPN tunnel

What I have tried

1. Add a second P2 that matches the existing P2 for the site to site, but changed the "local network" to match that of the OpenVPN client network and included the same NAT/BINAT config.
2. Added the following in OpenVPN Client Export Advanced config options "route x.x.x.x 255.255.255.255 (the P2 specifies a /32 host for both the existing working site to site and the OpenVPN related P2)
3. Added the /32 address at the end of the S2S tunnel to the OpenVPN "Tunnel settings" "Local Networks" in OpenVPN server page on the Negate.

Based on reasonably good dig around the forums this should in theory work , however I do have NAT in the mix.

This doesn't work, but I'm assuming there must be a way of doing this? Any able to offer any advice?

@zildac said in OpenVPN RA - route traffic down existing S2S IPSec VPN:

Add a second P2 that matches the existing P2 for the site to site, but changed the "local network" to match that of the OpenVPN client network and included the same NAT/BINAT config.

The local network in the P2 has to match the OpenVPN tunnel network.

Additionally in the OpenVPN server settings add the remote networks of the IPSec to the "local networks" to push the route to the clients.

@viragomann Hi, Thanks for the response, both of those criteria are already met. Please see below:

Re the P2 above, bear in mind it is a duplicate of an existing P2 (includinng the NAT config). The only difference is that this one contains the OpenVPN network as opposed to the LAN subnet.

And I can see the route for destination is present on the OpenVPN client machine using route print.

Should this work?

@zildac said in OpenVPN RA - route traffic down existing S2S IPSec VPN:

Re the P2 above, bear in mind it is a duplicate of an existing P2 (includinng the NAT config). The only difference is that this one contains the OpenVPN network as opposed to the LAN subnet.

And the LAN is able to communicate with the remote site?

I didn't ever do it exactly this way. But it worked with a local subnet in one P2 and a single BINAT address within of this subnet in the second one. But the second has to be the first in the P2 set.
So possibly the IP cannot be used in mutliple P2.

@viragomann Hi, yes, the local LAN has no issue connecting to the hosts at the other end of the S2S. The issue is only present for the OpenVPN client. I have even disabled the first P2 (LAN to SiteB host) so that only the OpenVPN related P2 is active, but still no joy. The tunnel doesn;t even try to come up. It is almost like the netgate is not trying to route the traffic down the tunnel I can see the ICMP traffic in packet capture out of the OpenVPN IFC on the Netgate so it is coming ddown the OpenVPN tunnel.

@viragomann OK, so this issue is resolved. I disabled ALL the other P2 proposals under the corresponding P1 (the reorder function in the UI crashed?!) And now I can see traffic flowing from a host on the LAN subnet to the host at SiteB and from the OpenVPN client to the same host on SiteB. They are both using the same BINAT network range for NAT, which is a non issue in this test setup but could cause issues where the last octet of a client is the same in both P2's. I suspect the issue was the ordering of the P2 proposals, it's the only change I made. Thanks for pointing me down the right path!!