OPNsense Forum

English Forums => General Discussion => Topic started by: vgsinno on April 10, 2024, 11:14:10 am

Title: VXLAN setup with IPsec same IP subnet
Post by: vgsinno on April 10, 2024, 11:14:10 am

Hi all,

I try to build a VPN tunnel with IPsec and VxLAN between 2 locations and bridge same IP subnet on both side.
At first i build a configuration like below and it worked just fine.

[PC 192.168.1.2]<->[192.168.1.1/24 Bridge OPT1+VxLAN][OPNsense A][OPT2 10.1.0.2/16]<->{ ipsec tunnel}-INTERNET-{ipsec tunnel}-[10.2.0.2/16 OPT2][OPNsense B][192.168.2.1/24 Bridge OPT1+VxLAN]<->[PC 192.168.2.2]

then I followed this instruction "Reply #4": https://forum.opnsense.org/index.php?topic=37182.msg182040#msg182040

[PC 192.168.1.3]<->[192.168.1.1/24 Bridge OPT1+VxLAN][OPNsense A][OPT2 10.1.0.2/16]<->{ ipsec tunnel}-INTERNET-{ipsec tunnel}-[10.2.0.2/16 OPT2][OPNsense B][192.168.1.2/24 Bridge OPT1+VxLAN]<->[PC 192.168.1.4]

it didn't worked

VxLAN edited like this on A:
Source address: 10.1.0.2
Remote address: 10.2.0.2

Hypervisor: Proxmox

Now I have few questions

1.

• Can it be the normal "IPsec"
• The VTI route based https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html

or doesn't matter?

2.Does the OPNsense support such configuration, if yes, where is the mistake or where did i forgot something?

Thanks :)

Title: Re: VXLAN setup with IPsec same IP subnet
Post by: Saverio Loiacono on April 29, 2024, 05:02:56 pm

I have the same problem.

Opnsense support this configuration ?


Thanks

Title: Re: VXLAN setup with IPsec same IP subnet
Post by: Monviech on April 29, 2024, 05:25:52 pm

Yeah you can do it easily with ipsec and a small trick.

- Create loopback interfaces on both sides.
- Create a policy based IPsec tunnel between the loopback interfaces.
- Create the vxlan interfaces and make them use the loopback interfaces to connect with each other over the ipsec tunnel.
- Adjust the MTU and MSS because vxlan and ipsec create protocol overhead.
-Bridge the vxlan interfaces and the LAN interfaces, use that bridge assigned to an interface. The tutorial how to create a transparent filtering bridge helps here.

With a aetup like that I have connected opnsenses with vxlan, but also created raspberry pis that bridged the lan of the main OPNsense directly out of their ports. So its all doable with some effort and tests. :)

Title: Re: VXLAN setup with IPsec same IP subnet
Post by: vgsinno on May 06, 2024, 03:50:20 pm

Finally !!!

thank you so much it worked ;D

Title: Re: VXLAN setup with IPsec same IP subnet
Post by: muchacha_grande on May 08, 2024, 07:03:47 pm

Hi, Monviech,
you pointed out something interesting that I'd like to investigate. The raspberry pis bridged with opnsense.
Thank you for rising this up.

Title: Re: VXLAN setup with IPsec same IP subnet
Post by: Monviech on May 08, 2024, 07:08:40 pm

I have used CM4 with Waveshare 2 port boards. That worked really well, really good performance too, I think I got around 600mbit/s.

Title: Re: VXLAN setup with IPsec same IP subnet
Post by: muchacha_grande on May 08, 2024, 07:39:03 pm

Did you use Opnsense for RPi4 or some other router as OpenWRT ?

Title: Re: VXLAN setup with IPsec same IP subnet
Post by: Monviech on May 08, 2024, 07:41:20 pm

No I just used Ubuntu.

Title: Re: VXLAN setup with IPsec same IP subnet
Post by: muchacha_grande on May 08, 2024, 07:44:24 pm

Excellent, thank you and cheers...