OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 16.7 Legacy Series »
  • IPSEC overlaps
« previous next »
  • Print
Pages: [1]

Author Topic: IPSEC overlaps  (Read 3604 times)

dragon2611

  • Jr. Member
  • **
  • Posts: 94
  • Karma: 4
    • View Profile
IPSEC overlaps
« on: December 29, 2016, 03:41:14 pm »
Opnsense doesn't seem to handle IPSEC overlapping PH2 very well compared with pfSense and most other platforms I've used which seems to be fine with it.

For instance say I have

192.168.1.0/24 > 10.0.0.0/8 in one tunnel with it's own PH1/PH2

Then in a separate tunnel i have

192.168.1.0/24 > 10.1.0.0/24 with it's own PH1 and PH2

I'd expect the more specific PH2 to match (I.e the /24 as that's a more specific route than /8) but it looks like it's just whatever is the highest connection in the list (E.g Con1)
Logged

dragon2611

  • Jr. Member
  • **
  • Posts: 94
  • Karma: 4
    • View Profile
Re: IPSEC overlaps
« Reply #1 on: January 04, 2017, 09:21:35 am »
Bump

Any ideas?
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13634
  • Karma: 1174
    • View Profile
Re: IPSEC overlaps
« Reply #2 on: January 04, 2017, 03:54:30 pm »
Hi dragon,

First of all sorry, a bit busy behind the scenes in prep for 17.1.

If pfSense handles this better it can only be the management code / config write code. I am unsure where to look exactly. Is this a problem in the strongswan configs, do you happen to know?


Cheers,
Franco
Logged

dragon2611

  • Jr. Member
  • **
  • Posts: 94
  • Karma: 4
    • View Profile
Re: IPSEC overlaps
« Reply #3 on: January 04, 2017, 04:09:14 pm »
No Idea, but if I get a chance I might be able to go have a look later.

Can't get into that box at the moment as I'm remote and it looks like either ovpn or opnsense has fallen over (It dropped out and won't reconnect)

Worst part of that Is I do have OVPN roadwarrior setup on my other opnsense install at the other site but I haven't got the config/certs for that on this laptop, something I need to fix when I get home.

Edit: For clarity I use IPSEC for site2site and OVPN for roadwarrior (Laptop/mobile.etc)
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13634
  • Karma: 1174
    • View Profile
Re: IPSEC overlaps
« Reply #4 on: January 04, 2017, 04:41:27 pm »
Hi dragon,

Alright, that would be very helpful. :)


Cheers,
Franco
Logged

dragon2611

  • Jr. Member
  • **
  • Posts: 94
  • Karma: 4
    • View Profile
Re: IPSEC overlaps
« Reply #5 on: January 04, 2017, 06:45:37 pm »
Sent you a PM, hope you don't mind but I'd prefer not to just post the entire IPSEC config to the whole forum.

tbh not sure how useful it is because to make the config the same I'd have to revert the changes I made to work around the problem (I.e I removed the /8 and put more specific routes in and set tunnel isolation)

Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 16.7 Legacy Series »
  • IPSEC overlaps
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2