URGENT: IPsec over Openvpn tunnel not working

[sebonline]

Hi guys,

I'm quite new to Openvpn and i'm actually facing an issue i can't solve on my own, and before investigating hardware deeper, i would like to ensure i'm not facing a simple incompatibility between IPSec and Openvpn.

We are actually running Openvpn tunnels between distant router and a pfsense server. It works great and distant router are getting WAN access from pfsense server. So in this configuration, a client connected to a distant router (Openvpn client) is using the WAN accesss coming from the pfsense server (which is owning the Openvpn server).

Client -(LAN)-> Router -(Openvpn tunnel UDP/TUN)-> pfsense -> WAN access

We have clients that want to set IPSec tunnels with third systems over our (Router -> pfsense) Openvpn tunnel, and it is not working.
I've tried to search over forums and online doc but didn't found any example like mine.

In the same time i test other tunnels protocols passing through our configuration (Router -(Openvpn tunnel)-> pfsense -> WAN) and i can establish working tunnels with Openvpn (TCP/UDP), SSTP, PPTP... but it is not working at all with IPSec protocol.

Maybe that i'm missing something but i'm wondering if there is any limitation in using Openvpn for doing what i'm trying to, i mean having an Openvpn tunnel delivering WAN access and using it to establish an IPSec connection and passing IPSec traffic.

For your information, there is no firewalling rules either in the router or in pfsense server.

If i'm not clear enough let me know, any help would be greatly appreciated.

Many thanks for all, Sebastien

[TinCanTech]

OpenVPN protocol is not compatible with IPsec .. are you trying to tunnel IPSec through an OpenVPN tunnel ?

[sebonline]

Thanks for your reply,
That is exactly what i'm trying to do, tunnel IPSec through Openvpn tunnel.
Isn't it possible ?

[TinCanTech]

Personally, I have never tried to send IPSec via OpenVPN tunnel ..

What :port are you sending IPSec to ?

[sebonline]

I was trying to use a hardware solution, Cisco RV042G, where IPSec ports are supposed to be (but not shown or configurable) 500 and 4500.
I've also tried using ExpressVPN software IPSec solution, same result.

[TinCanTech]

I would check all log files for errors ..

[sebonline]

I found nothing revelant in Cisco Logs... I'm suspecting Openvpn tunnel is using port 500, but i'm not expert enough to confirm, and i would like to see if someone as ever done IPSec tunnel through Openvpn tunnel... That could be also a limitation in the use of Openvpn...
I can't believe i'm the first one to try it

[TinCanTech]

I'm suspecting Openvpn tunnel is using port 500, but i'm not expert enough to confirm

OpenVPN default --port is 1194 ..

That could be also a limitation in the use of Openvpn... I can't believe i'm the first one to try it

More likely your configuration is wrong ..

[sebonline]

Thanks.

I don't think it is a wrong configuration.

In order to check config, i used ExpressVPN software solution, which is offering different kind of protocols in order to reach distant vpn servers.

As i was saying previously, when i tried with OpenVPN (TCP/UDP), SSTP and PPTP, tunneling was working through an OpenVPN tunnel.
For IPSec protocol, tunnel wasn't working.

I then tried to establish the same IPSec tunnel (using ExpressVPN solution), via the same router, but with OpenVPN disabled (=Router is accessing directly WAN).
Result is that ExpressVPN IPSec tunnel was working.

So what i can say is that:

When not through OpenVPN tunnel, IPSec is working fine
When through OpenVPN tunnel, PPTP SSTP and OpenVPN tunnels are working, not IPSec
There is no Firewalling rule anywhere.

Any idea ?

[TinCanTech]

You need to be certain that the IPSec packets are trying and succeeding (or not) to traverse the OpenVPN tunnel.