Hi,
I try with OPNsense and pfsense the same config to do work an IPsec tunnel AND OVPN without success.
I've a OPNsense fw with this configuration :
WAN : 1.1.1.1/32
LAN : 192.168.100.0/24
On the WAN interface, I've a IPsec tunnel with remote subnet 10.1.1.0/24 and IPsec rules :
any to any port SSH|RDP pass
I've configure the same in floating rules with select LAN/IPsec/OVPN interfaces.
I've a seconde configuration on the WAN interface with OVPN nomade configuration (user auth+tls) with 192.168.100.0/24 as tunnel & remote network.
On other side, I've a firewall with :
WAN : 2.2.2.2
LAN : 10.1.1.0/24
Rules allow remote network (192.168.100.0/24) to SSH|RDP 10.1.1.0/24.
Route : 192.168.100.0/24 via IPsec interface
I want to :
Wanted Client use case / Link config (remote work as soon as possible without create failure on architecture):
[client]--------------------------------------------------------------------------------------------------->[10.1.1.0/24|22]
[client]---->[OPNsense_OVPN_get192.168.100.2/24]----->[sameOPN_IPsec]------------>[10.1.1.0/24|22]
This use case doesn't work with my actual configuration. Someone have an idea to success config this ?
Thanks
Does the OpenVPN part even work on its own?
Don't use your LAN addresses for Tunnel or Remote addresses, this might work in some rare cases, but not in others.
Use some otherwise unused network, e.g. 10.7.8.0/24 for Tunnel network and leave Remote addresses empty.
Add the network from the remote end of the IPsec tunnel (10.1.1.0/24) to "IPv4 Local Network" list, together with your LAN network (192.168.100.0/24)
Then you need
- an outbound NAT rule that maps OpenVPN client addresses to one from 192.168.100.0/24 when accessing 10.1.1.0/24
- add a Manual SPD entry in IPSec Tunnel Settings with your OpenVPN client network (Tunnel network) to the phase2 IPsec definition.
Hi,
Thanks mfedv.
QuoteThen you need
- an outbound NAT rule that maps OpenVPN client addresses to one from 192.168.100.0/24 when accessing 10.1.1.0/24
- add a Manual SPD entry in IPSec Tunnel Settings with your OpenVPN client network (Tunnel network) to the phase2 IPsec definition.
The outbound nat rule is on IPsec interface ? Like this ?
Interface: IPsec
Source: 10.7.8.0/24
Source port : *
Destination : 10.1.1.0/24
Destination port : *
NAT address : 192.168.100.0/24
NAT Port : *
SPD is BINAT ?
Not sure if "NAT address : 192.168.100.0/24" will work (haven't tried); for a start, choose a single ip address from that range that is otherwise unused. Other than that, the outbound NAT rule looks ok.
"Manual SPD" entry: in VPN / IPsec / Tunnel Settings, edit the phase 2 entry (contains the remote network). The last option under "Advanced Options" is "Manual SPD entries". Add your OpenVPN network there (also click on the "i" and read the help text).
For IPsec to act upon a packet, it must recognize it as a packet to be encrypted even before NAT kicks in. Thats what the "Manual SPD" entry provides. It is not used on the wire in IKE exchanges, it only tricks IPsec into (later) acting on the packet. Actual packets are then both recognized as to be handled by IPsec and as to be handled by NAT rules.