Router-originating traffic for IPsec tunnel

Started by Yordan Yordanov, April 19, 2015, 02:14:56 AM

Previous topic - Next topic
April 19, 2015, 02:14:56 AM Last Edit: April 19, 2015, 02:17:11 AM by Yordan Yordanov
I need to configure my DNS forwarder with two domain overrides in order to send DNS queries to different DNS servers depending on the domain in the query (conditional forwarding). Each of these DNS servers is in a separate intranet which is connected to the OPNsense router using 2 VPN tunnels - one is OpenVPN and one is IPsec. The forwarding for the DNS names in the intranet connected via OpenVPN works great - the names are resolved as expected. However this is not the case with the names for the other (IPsec-based) connection.

The problem is that the router itself can send traffic into the OpenVPN tunnel bit cannot send into the IPsec tunnel (devices behind the router can communicate with both intranets without problems). I verified this using PING from the router. No firewall rules are configured to prevent this. I suppose this may be caused by the fact that the OpenVPN tunnel is a Point-to-Point tunnel and in the routing table the remote subnet is routed via the OpenVPN interface (ovpns1). No such entry exists for the IPsec subnet - it is routed via the WAN which is kind of awkward but works for devices behind the router. Is there a way to enable the router itself to send packets into the IPsec tunnel like with OpenVPN? Maybe it's a BSD issue, not OPNsense, but anyway. Actually, OpenVPN is so much easier and flawless than IPsec, I'd always prefer to use it, but unfortunately it all depends on the other endpoint...

Push...

Facing the same issue, I've temporary solved it as follows:


  • Create a gateway with the internal firewall IP (e.g. called "SELF")
  • In the Settings: General section, where you configure the OPNsense DNS server, select the configured gateway as gateway to access the corresponding DNS server

It's not really a clean solution, since now each connection to the DNS server via the firewall (also access from within the LAN) will result in one loop-routing hop, which looks like:

Code (OPNsense: 10.2.0.1/16, remote DNS: 10.1.1.1, Ping from 10.2.1.0/24) Select
% ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data.
From 10.2.0.1: icmp_seq=1 Redirect Host(New nexthop: 10.1.1.1)
From 10.2.0.1 icmp_seq=1 Redirect Host64 bytes from 10.1.1.1: icmp_seq=1 ttl=126 time=111 ms


Any other (clean) solutions?