Tunnel IPSEC VPN through OpenVPN?

This is the forum to post your config. Include diagrams, usage graphs, and all the other goodies to show off your network.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
Rob22
OpenVpn Newbie
Posts: 1
Joined: Sat Aug 21, 2021 4:20 am

Tunnel IPSEC VPN through OpenVPN?

Post by Rob22 » Sat Aug 21, 2021 4:36 am

I have OpenVPN server and client configured on two OpenWrt routers and the connection is working. I'm trying to tunnel through this OpenVPN connection via an IPSEC VPN client and it connects, I can ping and access some machines on the network but cannot access some critical machines, and I can RDP to one machine I need to use but the connection drops shortly after.

Am I trying to achieve something that is not possible? Are the two protocols causing too much latency?

I can OpenVPN from location 1 and browse the internet as if I am in location 2
PC@location1 -> router with OpenVPN client -> internet -> router with OpenVPN server@location2 -> internet

Now I want to tunnel through that working connection to connect to an IPSEC VPN server that won't allow connections from location1

IPSEC VPN Client installed on PC@location1 -> router with OpenVPN client -> internet -> router with OpenVPN server@location2 -> internet -> IPSEC VPN Server -> local network

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Tunnel IPSEC VPN through OpenVPN?

Post by openvpn_inc » Mon Sep 06, 2021 1:02 am

Hi Rob22,

I doubt it's due to the multiple protocols in use, but sure, too much latency hurts something like RDP. If you managed to connect at all, that means your routing is correct on both sides.

Regards, rob0 (or rob$((22-22)) perhaps)
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

TinCanTech
OpenVPN Protagonist
Posts: 11138
Joined: Fri Jun 03, 2016 1:17 pm

Re: Tunnel IPSEC VPN through OpenVPN?

Post by TinCanTech » Mon Sep 06, 2021 1:46 am

Rob22 wrote:
Sat Aug 21, 2021 4:36 am
Now I want to tunnel through that working connection to connect to an IPSEC VPN server that won't allow connections from location1
Easy ..

mttc
OpenVpn Newbie
Posts: 3
Joined: Thu Jul 18, 2024 8:10 am

Re: Tunnel IPSEC VPN through OpenVPN?

Post by mttc » Thu Jul 18, 2024 8:27 am

Same question, , on Linux, outer tunnel should be OpenVPN, inner tunnel should be IPSEC by vpnc. vpnc is failing.
I'm quite sure it's because of the MTUs.

The only way I got it working: An Android device doing wireless client and also access point, establishing the OpenVPN and sharing via access point. The Linux machines wifi interface set to MTU 1200, then doing vpnc.

I tried doing the same one the Linux client only. First establishing the OpenVPN, then starting vpnc with --ifmtu 1200. First it connects and I'm able to ping clients behind, but soon after it stops working with

Code: Select all

vpnc: quick mode response rejected:  (ISAKMP_N_INVALID_MESSAGE_ID)(9)
The difference is, that only the tun interface gets MTU 1200. Before when using the Android device as router, I can set the physical interface to MTU 1200. Any idea how to achieve that on the Linux machine only?

mttc
OpenVpn Newbie
Posts: 3
Joined: Thu Jul 18, 2024 8:10 am

Re: Tunnel IPSEC VPN through OpenVPN?

Post by mttc » Fri Jul 26, 2024 8:42 am

Talking at #openvpn we got some things clearer now. If establishing the inner vpnc tunnel fails then it's is never about the vpnc MTU because this only affects the tunneled data. It can only be about the outer OpenVPN MTU. This is 1300 by default set by the administrators OpenVPN config. I just set it to 1200 now and the vpnc seems to work.. But why exactly? And which is the best MTU? Just increasing until it fails and then setting -1 ?
What happens if an MTU is too large? Decreasing MTU actually would only lead to fragmented packets and degraded throughput, but why is some tunneled connection failing at all?

mttc
OpenVpn Newbie
Posts: 3
Joined: Thu Jul 18, 2024 8:10 am

Re: Tunnel IPSEC VPN through OpenVPN?

Post by mttc » Mon Sep 23, 2024 8:10 am

I got it working somehow by setting MTU 1300 on the physical interface.

Post Reply