OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • IPSEC Site to Site VPN
« previous next »
  • Print
Pages: [1]

Author Topic: IPSEC Site to Site VPN  (Read 4810 times)

WallaceTechUK

  • Newbie
  • *
  • Posts: 7
  • Karma: 0
    • View Profile
IPSEC Site to Site VPN
« on: September 19, 2017, 11:46:19 am »
Hi Guys.

Hope someone can push me in the right direction. I have two OpenSense servers at two separate locations. for example i have

Site A
Subnet 192.168.1.0
Subnet 192.168.2.0
Subnet 192.168.3.0

Site B
Subnet 192.168.4.0
Subnet 192.168.5.0
Subnet 192.168.6.0

Now i have followed the example in the Wiki see. https://wiki.opnsense.org/manual/how-tos/ipsec-s2s.html?highlight=vpn

I can start the VPN and i can pass traffic from 192.168.1.0 to 192.168.4.0 back and forth. Is there something i am missing to allow multiple subnets to be used as part of Phase 2?

Please let me know if you require any more info from me.

Thanks in advance.
Logged

nicovell3

  • Newbie
  • *
  • Posts: 12
  • Karma: 0
    • View Profile
Re: IPSEC Site to Site VPN
« Reply #1 on: September 19, 2017, 12:19:47 pm »
Hi,

At my company we have two phase2. You can have as many phases 2 for each phase 1 you want

Regards.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13679
  • Karma: 1176
    • View Profile
Re: IPSEC Site to Site VPN
« Reply #2 on: September 19, 2017, 12:49:05 pm »
In IKEv2 mode, all Phase 2 entries are meshed together unless the tunnel isolation mode is set.

So nicovell3 is right, just add multiple Phase 2 entries to your Phase 1 and that's it.

You cloud also make the netmask wider, but it may clash with your general network layout: 192.168.0.0/16.


Cheers,
Franco
Logged

WallaceTechUK

  • Newbie
  • *
  • Posts: 7
  • Karma: 0
    • View Profile
Re: IPSEC Site to Site VPN
« Reply #3 on: September 19, 2017, 01:44:27 pm »
Thanks for the replies chaps.

I have added multiple subnets to the Phase 2 but the issue i am facing is that none of them work apart from the subnet that the OpnSense servers are on.

Craig
Logged

WallaceTechUK

  • Newbie
  • *
  • Posts: 7
  • Karma: 0
    • View Profile
Re: IPSEC Site to Site VPN
« Reply #4 on: September 19, 2017, 04:47:41 pm »
Ok, So i have this working.

On the Phase 2 setup. The Local Network was set to LAN Net as per the documentation. What i have done is change this from LAN Net to Network and specified the LAN Subnet.

Example

Local Network
Type = Network
Address = 192.168.1.0/24

Remote Network
Type = Network
Address = 192.168.4.0/24

I can now see both networks from both sides.

Thanks again for your time to reply earlier.
Logged

WallaceTechUK

  • Newbie
  • *
  • Posts: 7
  • Karma: 0
    • View Profile
Re: IPSEC Site to Site VPN
« Reply #5 on: September 19, 2017, 05:28:52 pm »
Scrap the above message. I though this was working but its not.
Logged

WallaceTechUK

  • Newbie
  • *
  • Posts: 7
  • Karma: 0
    • View Profile
Re: IPSEC Site to Site VPN
« Reply #6 on: September 19, 2017, 05:57:03 pm »
Ok. So i am half way there. I can ping from one side of the Tunnel but not the other.

Site A

Ping 192.168.4.0 Reply Timed Out from 192.168.1.0

Site B

Ping 192.168.1.0 Reply Received from 192.168.4.0

Any ideas? I have checked the config on both OpnSense servers and they are the same. I must be missing something as the Tunnel is up and can ping from one site.

Any ideas?
Logged

nicovell3

  • Newbie
  • *
  • Posts: 12
  • Karma: 0
    • View Profile
Re: IPSEC Site to Site VPN
« Reply #7 on: September 19, 2017, 06:19:34 pm »
Hi,

Maybe you aren't allowing some part of the traffic? You could place a tcpdump on each enc0 interface (this is the ipsec interface) and see if every packet is being routed through the tunnel.

Good luck!
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • IPSEC Site to Site VPN
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2