Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: wurmloch on March 06, 2021, 09:04:26 PM

Title: IPsec site-to-site: traffic only in one direction
Post by: wurmloch on March 06, 2021, 09:04:26 PM
Hi,

First of all, I must say that it is not my first IPsec config. But it's my first config with OPNsense.

Attached is the outline of my infrastructure. The configuration of the OPNsense A to C is the same, with the corresponding individual settings of IPs and remote subnets. The same applies to the firewall rules.

HOST A canot reach (ping, rdp) HOST C
HOST B canot reach (ping, rdp) HOST C
HOST C can reach (ping, rdp) HOST A
HOST C can reach (ping, rdp) HOST B

This is so strange, exasperating. I did not find any post / FAQ related to this behaviour, and I would really appreciate some hints / help!

Thank you,
Uwe
Title: Re: IPsec site-to-site: traffic only in one direction
Post by: Gauss23 on March 06, 2021, 10:11:24 PM
Is there a IPsec tunnel between all members (three tunnels) or is Net A routed through Net C to Net B (two tunnels)?

Sounds like you're missing some firewall rules on the ipsec group.
Title: Re: IPsec site-to-site: traffic only in one direction
Post by: wurmloch on March 06, 2021, 10:45:28 PM
2 tunnels:
A to C
B to C
I doublechecked firewall logs, no blocked packages.
Ping C to A goes through the tunnel
Ping A to C goes to upstream gateway of wan A and lost.

Thanks for your question!
Title: Re: IPsec site-to-site: traffic only in one direction
Post by: wurmloch on March 07, 2021, 03:15:10 PM
Hi,

here are the firewall rules of "HOST C", some are automagically created. I added manually:
- IPsec "Allow traffic to LAN net"
- WAN "Allow NAT-T to WAN" due to a block of NAT-T in the WAN firewall logs

Rules at HOST A and B are correspondingly identical.

Still at a loss
Uwe
Title: Re: IPsec site-to-site: traffic only in one direction
Post by: wurmloch on March 10, 2021, 10:39:12 PM
No idea, nobody?  :'(
Title: Re: IPsec site-to-site: traffic only in one direction
Post by: wurmloch on March 11, 2021, 07:24:45 PM
Quote from: wurmloch on March 07, 2021, 03:15:10 PM
here are the firewall rules of "HOST C", some are automagically created. I added manually:


Wow,

the last days IPsec on OPNsense C was disabled. I didn't want to keep it up while no time for testing.

Now, I switched it on again ... and all automatic generated IPsec related rules on the WAN interface are gone.

That's perfect, IPsec is what? Outdated, too complicated, nowhere in use? </sarcasm>
Sorry for that. I am not a software engineer. Therfore my contribution to this fine open source project is small.

Title: Re: IPsec site-to-site: traffic only in one direction
Post by: wurmloch on March 23, 2021, 10:10:32 PM
OK, no solution.

I started from scratch and I chose the other path: https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html (https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html)

It worked from the beginning. If you have problems with packets not going through the tunnel, just change your config to a routed IPSec Tunnel.

Just my 2 cents
Uwe
Text only | Text with Images