Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.7 Legacy Series
»
IPsec | VPN Client Connection to more then 1 subnet - possible?
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPsec | VPN Client Connection to more then 1 subnet - possible? (Read 5971 times)
RainerR
Newbie
Posts: 13
Karma: 2
IPsec | VPN Client Connection to more then 1 subnet - possible?
«
on:
October 07, 2017, 02:35:15 am »
Hello Community.
First of all, here are the key facts of my project:
LAB installation for testing purposes
2 OPNsense 17.7.5 Hardware Boxes in a Carp Cluster
Configured services in OPNsense are:
DHCP
Unbound DNS
Web Proxy
Network segmentation into 8 subnetworks via VLAN
An interface is configured for each VLAN (local and VIP)
Access to the subnets is controlled by appropriate firewall rules
IPsec Road Warrior VPN is configured (VIP WAN interface)
Client type is the Cisco IPSec VPN integrated in Mac OS High Sierra
Via IPsec I can easily access a subnet
the public IPv4 is provided via DynDNS
The OPNsense Carp Cluster is behind a router that forwards ports 500 and 4500 UDP to the VIP of the Carp Cluster.
After I have enticed the reader of this post to continue reading, here is the essential information about what I want to configure.
Basically, my configuration works without any problems and has been in operation for about a year.
What exactly does this mean and what does it have to do with the subject of this post?
Right, now it's getting exciting. Currently I can access a subnet via IPsec VPN without any problems.
However, I would like to extend the access to several subnets.
That's the point where I can't move on.
I searched the forum, read the documentation, found some hints, but couldn't find a solution.
Now I have landed in the FUBA (fiddling and tinkering) mode and tested various settings of the IPsec tunnels and the mobile client configuration - so far without success;
Lastly, I had the idea to configure a separate phase-2 entry for each subnet, but that didn't work either.
It would be damn cool if any of you had a solution to my problem.
It would also be cool if someone could tell me if what I'm planning to do is technically possible or not.
Every hint is more than welcome to leave FUBA mode.
If you don't want to answer in english, I am a native german speaker and you can also answer me in german.
Depending on how this post develops, I can write a summary in English and/or German so that other searchers can also benefit from the result.
Best regards,
Rainer.
Logged
mimugmail
Hero Member
Posts: 6756
Karma: 494
Re: IPsec | VPN Client Connection to more then 1 subnet - possible?
«
Reply #1 on:
October 07, 2017, 06:22:02 am »
You could use 0.0.0.0/0 to tunnel everything through VPN or use OpenVPN for this.
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
bartjsmit
Hero Member
Posts: 1980
Karma: 193
Re: IPsec | VPN Client Connection to more then 1 subnet - possible?
«
Reply #2 on:
October 07, 2017, 08:59:07 am »
Large organisations route entire offices through IPSec tunnels, both ways. Your chances of success are excellent.
Your client subnet needs to know a route to the remote subnets and they need to know a route back. If the IPSec routers are not the default gateway on each side, you'll need static routes.
Make sure ICMP is allowed everywhere and do traffic captures to follow the trail through your network. This post will guide you:
https://forum.ivorde.com/tcpdump-how-to-to-capture-only-icmp-ping-echo-requests-t15191.html
Bart...
Logged
franco
Administrator
Hero Member
Posts: 17473
Karma: 1587
Re: IPsec | VPN Client Connection to more then 1 subnet - possible?
«
Reply #3 on:
October 09, 2017, 11:33:43 pm »
Spanning your IPsec over a large network (up to 0.0.0.0/0 meaning all) works as Michael described, and what Bart said about routing through IPsec is also true as long as you make sure to add proper gateways between your IPsec peers, because if you simply try to reach through a tunnel out of its network mask bounds it will fail as security policies allow it, which is what the former approach works around by extending the bounds.
Another way is to use the advanced settings in phase 2 since OPNsense 17.7.1 and add your manual SPD network entries, a sort of ACL for attached networks, that you allow IPsec to route to even though they are not strictly part of your setup. Well, after adding them they are.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.7 Legacy Series
»
IPsec | VPN Client Connection to more then 1 subnet - possible?