Text only | Text with Images

OPNsense Forum

Archive => 19.7 Legacy Series => Topic started by: dmolenkamp on October 22, 2019, 09:44:09 AM

Title: IPsec VPN tunnel between 2 OPNsense firewalls -> One way traffic
Post by: dmolenkamp on October 22, 2019, 09:44:09 AM
Hello,

I have 2 OPNsense firewalls with versions:
OPNsense 19.7.5_5-amd64
FreeBSD 11.2-RELEASE-p14-HBSD
OpenSSL 1.0.2t 10 Sep 2019

On both firewalls I have set up a IPsec VPN tunnel, tunnel is connected and all working fine buth traffic is routing/passing only from 1 side.

There is one difference in setup, one location has 2 WAN connections (failover group) and the other has only one WAN connection.

Local site: multiple WAN
Remote site: single WAN

Data from remote to local is goin fine, buth data from local to remote site is not working.
I think the issue is because we have a multi WAN setup on our site.

I already tried to push the data to the remote subnet from our LAN to the default gateway the VPN is connected on buth no luck.

Any help / advise in this one would be great! :-)
Title: Re: IPsec VPN tunnel between 2 OPNsense firewalls -> One way traffic
Post by: mimugmail on October 22, 2019, 10:54:02 AM
Screenshot of Firewall LAN Tab and network definition of both sides please
Title: Re: IPsec VPN tunnel between 2 OPNsense firewalls -> One way traffic
Post by: dmolenkamp on October 22, 2019, 11:30:23 AM
In the attachment you will find 3 printscreens:
- Local site - LAN
- Remote site - LAN
- Remote site - VPN Status

Local LAN: 192.168.1.0/24
Remote LAN: 192.168.5.0/24

I added the rule on the local LAN to allow network to remote subnet through the primary gateway buth no luck.
Title: Re: IPsec VPN tunnel between 2 OPNsense firewalls -> One way traffic
Post by: mimugmail on October 22, 2019, 01:14:22 PM
Hm, Screenshots look good. Normally it should work ...

Can you check with tcpdump on CLI if packets are routed via WAN and not tunnel?
Title: Re: IPsec VPN tunnel between 2 OPNsense firewalls -> One way traffic
Post by: dmolenkamp on October 22, 2019, 02:50:35 PM
I don't know how to use TCPDUMP (sorry!), tried to trace from my machine and it goes to my OPNsense and then nothing.

Tracing route to 192.168.5.254 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  OPNsense.maedilon.local [192.168.1.254]
  2     *        *        *     Request timed out.

When I do a traceroute from console I get this:
traceroute to 192.168.5.254 (192.168.5.254), 64 hops max, 40 byte packets
1  powered-by.xenosite.net (89.255.45.241)  0.574 ms  0.327 ms  0.324 ms
2  * * *

89.255.45.241 is the gateway of my default WAN.

When I trace from the remote site I get this response:
Tracing route to 192.168.1.254 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.5.254
  2     4 ms     5 ms     4 ms  192.168.1.254

Trace complete.

When I take a look at the route in the OPNsense it looks good:

Local side:
ipv4 192.168.5.0/24 89.255.45.241 US 800 1500 igb1 XenositeWAN

Remote side:
ipv4 192.168.1.0/24 139.156.151.64 US 0 1492 pppoe0 WAN_KPN
Title: Re: IPsec VPN tunnel between 2 OPNsense firewalls -> One way traffic
Post by: dmolenkamp on October 25, 2019, 08:07:02 AM
Any help would be very very very appreciated  ;D ::)

I really don't know where to look or where it is going wrong? Only thing different than on the remote side is that we have 2 ISP's for failover. Buth I cannot disable that because of a production enverionment this is working on.

I hope some genius can help me in the right direction :-)
Title: Re: IPsec VPN tunnel between 2 OPNsense firewalls -> One way traffic
Post by: dmolenkamp on October 25, 2019, 08:18:02 AM
Item can be closed, has been resolved and working now! :-)
Re-created a rule on my LAN network and it is working now, don't know why it wasn't working before....
Text only | Text with Images