Bom dia, correto amigo o SG350 é usado apenas como switch, nossas VPN são realizadas e configuradas no nosso Firewall que é um PFSense, mas após trocamos para o switch cisco nossas conexões de VPN não estão funcionando, quem usa nossa vpn de casa não consegue se conectar no ambiente cloud da oracle que temos uma segunda VPN com eles.

Em resumo, no nosso firewall temos 2 VPN:

1 OpenVPN - Client to site (Para os colaboradores entrar no dominio (Vlan interna) em home office)

1 IPsec - site to site (Empresa com ambiente cloud (Nesse ambiente temos AD, Aplicações ERP, banco de dados oracle).

Sendo assim apos instalar o switch quem está em casa consegue acessar o ambiente interno normal atraves da OpenVPN mas não consegue acessar o ambiente cloud do IPSec.

Já verificamos todas as configurações do firewall e está tudo correto, se voltamos para o switch antigo funciona normal, por isso tenho certeza que é alguma configuração, ou bloqueio que está tendo no switch cisco.... 

O nosso link chega no Firewall e do Firewall vai para o SG350 distribuir, talvez algum bloqueio nas portas do switch ou algo assim.

Grato!

O IPsec já foram encerradas e iniciadas no firewall, irei verificar os logs e procurar alguma coincidência, e retorno aqui no fórum

Grato.

Analisei os log e não encontrei semelhanças aparentemente, 

estou enviando os log para você analisar se possível e conseguir me ajudar.

Hi Allybonny

I have some queries that will help me in helping you solve the issue that you are having

1. Am i right in assuming that the OpenVPN-server is also configured on the PFSense-Firewall??? from your posts iam assuming that is how its configured...

2. What is the ip-pool/subnet that is used to assign the ipaddresses to the OpenVPN clients? 

- This is important to know. There must be a ip-pool configured...it would be a subnet or a ip-range...can you please post the info here?

- kindly give the subnet info as well as the netmask used for the openvpn ip-pool

3. You mentioned that the Open-VPN client users AFTER they have successfully established the openvpn-tunnel on PFsense can communicate to ALL hosts/devices/servers in the Internal-Network connected to the SG350...right?

4. Are all the internal-lan-hosts able to connect to the Oracle-cloud-network across the ipsec-tunnel??

- Iam just asking this to confirm. i I think the answer would be yes.

- If not can you mention which hosts/subnets in the Internal-lan-network cannot communicate to the oracle-cloud-network across the ipsec tunnel?

5. I think the network deployment with the PFsense-firewall is as below:

(Internal-lan-network)---[SG350]-----(lan-interface){PFsense-FW]wan-----[Internet]-------[Oracle-cloud-Ipsec-Gw]----[cloud-network]

- so i just wanted to know what is the ipaddress (and the netmask/subnet-mask) configured on the lan-interface of the PFsense-FW??

thanks

Certo.

4. Todos os hosts internos-lan-hosts são capazes de se conectar à rede oracle-cloud através do túnel ipsec??

Sim, eles ligam a VPN em casa e tem acesso ao tunel ipsec.

Segue anexo do ipconfig de um usuário em casa com o openvpn conectado (Anexo client).

segue tambem print da vpn e do nosso ipsec (anexos vpn)

Segue tambem print do ipsec (anexos ipsec)

Hi,

Thanks for the updated info

Refering to the vpn3-jpg the openvpn-server is configured for split-tunnel and as per the present server config, the openvpn clients are allowed to ONLY connect to lan-network 192.168.200.0/20

So, i believe you should do the below addition in the openvpn-server config

1. In the option "IPv4 Local Networks"

- there is existing subnet of ONLY your local lan network 192.168.200.0/20
- therefore the openvpn clients after establishing tunnel are able to connect to ONLY this network.

- Whereas the remote network across the ipsec tunnel is the subnet 10.252.10.0/20

2. So on the openvpn-server, with reference to the same page shown shown in vpn3-jpg in the option "IPv4 Local Network", update the values as below

192.168.200.0/20,10.252.10.0/20

- apply & save

3. Next, with reference to vpn4-jpg, there is the custom option which has the ipaddr 192.168.200.9 for use as the default gateway by the openvpn client.

a) This config is pushed automatically to the client during tunnel establishment process, and I am assuming that this ipaddr 192.168.200.9 is the lan ipaddr interface of the Firewall/Openvpn-Server/IPsec gateway.

- If yes, dont do any changes

- if no this ipaddr 192.168.200.9 is NOT the lan-ipaddr of the fw/openvpn/ipsec gateway, then please change this ipaddr to the current lan-ipaddr of the fw-opnvpnserver-ipsec gw...it will be like the same lan nw ip 192.168.200.x

4. Then next apply and save, and restart the openvpn-server service on the gateway once after the update Or reboot if you can

a) and next reconnect the openvpn clients to the open-vpn server

b) i think now the openvpn clients can connect to both local lan-network (192.168.200.0/20) and also the remote network 10.252.10.0/20 across the ipsec tunnel

Irei fazer isso à noite fora do expediente e retorno na sequencia