IPSEC overlaps

[dragon2611]

Opnsense doesn't seem to handle IPSEC overlapping PH2 very well compared with pfSense and most other platforms I've used which seems to be fine with it.

For instance say I have

192.168.1.0/24 > 10.0.0.0/8 in one tunnel with it's own PH1/PH2

Then in a separate tunnel i have

192.168.1.0/24 > 10.1.0.0/24 with it's own PH1 and PH2

I'd expect the more specific PH2 to match (I.e the /24 as that's a more specific route than /8) but it looks like it's just whatever is the highest connection in the list (E.g Con1)

[dragon2611]

Bump

Any ideas?

[franco]

Hi dragon,

First of all sorry, a bit busy behind the scenes in prep for 17.1.

If pfSense handles this better it can only be the management code / config write code. I am unsure where to look exactly. Is this a problem in the strongswan configs, do you happen to know?


Cheers,
Franco

[dragon2611]

No Idea, but if I get a chance I might be able to go have a look later.

Can't get into that box at the moment as I'm remote and it looks like either ovpn or opnsense has fallen over (It dropped out and won't reconnect)

Worst part of that Is I do have OVPN roadwarrior setup on my other opnsense install at the other site but I haven't got the config/certs for that on this laptop, something I need to fix when I get home.

Edit: For clarity I use IPSEC for site2site and OVPN for roadwarrior (Laptop/mobile.etc)

[franco]

Hi dragon,

Alright, that would be very helpful.


Cheers,
Franco

[dragon2611]

Sent you a PM, hope you don't mind but I'd prefer not to just post the entire IPSEC config to the whole forum.

tbh not sure how useful it is because to make the config the same I'd have to revert the changes I made to work around the problem (I.e I removed the /8 and put more specific routes in and set tunnel isolation)