OPNsense Forum

English Forums => Virtual private networks => Topic started by: jimjohn on April 30, 2021, 12:42:19 pm

Title: Additional VPN using existing IPsec Tunnel
Post by: jimjohn on April 30, 2021, 12:42:19 pm

Hi all,

as you see in the attached screenshot, I have two locations being coupled by an IPsec Tunnel which is managed by the router. Each location has an OPNsense appliance, which is not directly exposed to the internet.

I have LAN-LAN coupling already, which works okay. Now I want to enable a cross-access from DMZ_1 to BKP_2 and vice-versa, whereas "DMZ" is actually not reachable from the internet but still behind the VPN of the router. Nothing should be exposed to the internet, except the encrypted VPN traffic.

What would be the best approach to achieve this?

BTW: I probably would use 172.X.X.X IPs for the VPN tunnel just to have a clearer separation for easier administration.

Thanks for your tips in advance!

Title: Re: Additional VPN using existing IPsec Tunnel
Post by: jimjohn on May 04, 2021, 11:29:49 am

Anyone?  :(

Title: Re: Additional VPN using existing IPsec Tunnel
Post by: Patrick M. Hausen on May 04, 2021, 12:07:42 pm

Just add the subnets as an additional phase 2 entry. With both gateways being OPNsense there should not be anything extra to configure, although "Tunnel Isolation" in phase 1 might be necessary - I honestly don't know.

Title: Re: Additional VPN using existing IPsec Tunnel
Post by: jimjohn on May 04, 2021, 12:08:34 pm

Thanks for your answer, would you use IPsec or OpenVPN? And why?

Title: Re: Additional VPN using existing IPsec Tunnel
Post by: Patrick M. Hausen on May 04, 2021, 01:01:56 pm

You have an established IPsec tunnel and want to route additional subnets. Why would you use anything else just for those?

Title: Re: Additional VPN using existing IPsec Tunnel
Post by: jimjohn on May 04, 2021, 04:09:15 pm

The topology above is simplified. There are other devices outside the "control" of the OPNsense directly attached to either router. Because this IPsec tunnel is used from "not trustworthy" devices, such as smartphones etc. and multiple users in the net "above" the OPNsense. I want to have a OPNsense <=> OPNsense VPN tunnel which is one layer below the router's plus I do not want to expose the OPNsenses directly to the internet, because that would mean an additional port forward on either router, which I'd like to avoid as well.

Example: traffic is encrypted transport-wise by the IPsec tunnel of the router from router (A) to router (B). So far so good. But if I render both the router and / or devices in the router's subnet as "not trustworthy", I need to have a second level of encryption between the OPNsenses to complete separate the communication of DMZ <=> BKP.