0

I have a pfsense gateway that connects to the ISP and gets a publix address. It takes care of servers and clients without a problem. To that gateway I connected another pfsense to play around and just test things without breaking what's in PF01's netwrok.

The problem I am stuck with right now is that I cannot access PF02's network from a vpn.

Here's a pretty graphic to show what I mean : just some firewalls and clients

  • "Me" (with vpn) and "admin" (localy) can access what happens behind PF01 and PF02.
  • (not picture) admin02 who is also between pf01 and pf02 but on a completely different interface/network, cannot connect to PF02, only PF01.

I want to be able to access PF02 from "admin02" without going through PF01 (it doesn't work anyway).

My config :

OPENVPN configured to give address x.x.x.x/x and give access to lan interface of PF02 I configure my openvpn client to access through the ddns. It is configured to go through the public address and it works, I can access "other webserver" from "ME" with that domain name.

In PF01, I forward any to wan-of-PF02:1194 In PF02, I have a rule to pass any to the wan:1194, and another one on the LAN for any/any

System logs of openvpn (and packet capture) do note that someone tried to connect but always fails on handshake.

I've tried finding a solution but it always ends up with "do not do double nat" which is not what I want to do!

I did test site-to-site between PF01 and PF02 (it working, joined domain and all) but now I really want remotely connect to the 2nd firewall directly.

EDIT: I noticed I forgot something in my little drawing there, it canada day sunday so I'll be back tuesday to edit it. I rewrote the

Carobell
  • 331
  • 4
  • 16
  • If you first establish a vpn session against pf01 - are you then able to establish the vpn connection to pf02? i interpret your question as if you want to vpn directly to pf02 without vpn to pf01, but can you at least do it then? – Jonas Bjork Jun 29 '18 at 19:21
  • I edited the question as I completely forgot the computer I am working from (admin02).... I tried connecting to the pf02-vpn from "admin" (connected to it by vpn-pf01 from "admin02") and it did not work. But I was able to get it to work externally ("Me" gets in finally!). The problem is most likely a route that does not go where it should. I feel I am getting closer! ***I am off for the weekend, wont answer until tuesday*** – Carobell Jun 29 '18 at 19:51

1 Answers1

0

You should select another tunneling mechanism for the inner (me->pf02) tunnel. ipsec along with esp+nat-t is the first that comes to mind. support is wide but if your old winxp (or similar) lacks support then add another layer in form of l2tp/mscchap2 and it wont fail even there. linux however has excellent support for ipsec in multiple flavors.

any specific reason that you chose openvpn? easy setup perhaps or something harder to overcome?

Jonas Bjork
  • 376
  • 1
  • 4
  • It's really only because that is what was previously used by the last admin. I know IPSec works for PF01, I'll see if it's easier to make work with PF02 then openvpn. – Carobell Jul 03 '18 at 12:13