First, thank you for making such a fantastic firewall, keeping it updated, and enabling so many capabilities with it.
There's one function provided that I have been unable to get working as intended - IPSec Road-Warrior with Tunneled Internet Access.
I want mobile devices, including laptops, tablets, and phones, to be able to connect using IPSec VPN and have access to both the internal network [LAN] and route all internet traffic through the VPN [WAN]. So far I can get very effective access to the internal network [LAN], but depending on settings will either get non-tunneled access to the internet, or no access to the internet.
This seems to be a recurring issue, as resource [2] outlines the exact problem I'm currently having. Unfortunately, I've attempted to implement all of the steps shown, including creation of a manual NAT rule for IPSec routing to no avail.
Following the Road-Warrior guide in resource [1], I'm able to connect to the internal network but the connection to any internet site is not routed through the VPN. Previous form postings [3] and [4] show similar issues, while [2] and [5] provide guidance on how to resolve. Unfortunately, none of this is working for me.
My ipsec.conf file is configured with (obscuring actual hostname):
# This file is automatically generated. Do not edit
config setup
uniqueids = yes
conn con1
aggressive = no
fragmentation = yes
keyexchange = ikev2
mobike = yes
reauth = yes
rekey = yes
forceencaps = no
installpolicy = yes
type = tunnel
left = %any
right = %any
leftid = my.personal.domain
ikelifetime = 1440s
lifetime = 1440s
rightsourceip = 192.168.2.0/24
ike = aes256-sha256-modp2048!
leftauth = pubkey
rightauth = eap-radius
rightsendcert = never
eap_identity = %any
leftcert = /usr/local/etc/ipsec.d/certs/cert-1.crt
leftsendcert = always
leftsubnet = 0.0.0.0/0
esp = aes256-sha256-modp2048!
auto = add
include ipsec.opnsense.d/*.conf
Finding local domains seems to work fine. Using Unbound DNS I have an override for the OPNSense domain name (my.personal.domain in ipsec.conf) which redirects to the local IP. This lets me use LetsEncrypt on the OPNSense web interface. Pointing a VPN-connected client to my.personal.domain brings up the OPNSense web interface, which is only accessible on LAN. Unfortunately, attempting to access any other domain results in a timeout.
I've tried following the guidance in [2] and [5] below, but without success. If anyone can help, please let me know. I'm happy to provide additional configuration details as needed.
Thanks in advance!
Online resources used:
1: https://docs.opnsense.org/manual/how-tos/ipsec-road.html (https://docs.opnsense.org/manual/how-tos/ipsec-road.html)
2: https://forum.opnsense.org/index.php?topic=11340.0 (https://forum.opnsense.org/index.php?topic=11340.0)
3: https://forum.opnsense.org/index.php?topic=6842.0 (https://forum.opnsense.org/index.php?topic=6842.0)
4: https://forum.opnsense.org/index.php?topic=7341.0 (https://forum.opnsense.org/index.php?topic=7341.0)
5: https://forum.opnsense.org/index.php?topic=9478.0 (https://forum.opnsense.org/index.php?topic=9478.0)
Have you been contacted by OPNsense development regarding this flaw?
Ted Quade
Please contact us at https://github.com/opnsense/core/issues/new/choose ;)
Cheers,
Franco
I have switched to an alternate product and will not be pursuing this any further with OPNsense.
Ted Quade
Okay, thanks for your cooperation. ;)
Cheers,
Franco
Thanks for replying. I'm still using OPNSense, and satisfied with everything except the IPSec functionality. I'll open a bug report on GitHub, thank you for the link.
I've continued to try troubleshooting this, but to not avail. As I'll note on GitHub, I'm happy to share whatever config files/logs are needed to help resolve.
Users in another thread identified the key Firewall entry that was causing my issue:
https://forum.opnsense.org/index.php?topic=14625.0
The fix was to have a Firewall Rule for IPSec that allows traffic to ANY. Previously, I had separate entries for LAN and WAN.
Protocol Source Port Destination Port Gateway Schedule Description
IPv4 * * * * * * * Allow IPSec traffic to ANY (*)