Hi,
I got two sites coupled via IPsec:
(A) is 10.X.X.X
(B) is 192.X.X.X
The IPsec tunnel works. Now at (A), I got an OPNsense appliance with a host connected that I want to reach from (B).
(B) == IPsec ==> (A) ==> OPNsense WAN IF ==> OPNsense LAN IF ==> Target Host
How can I achieve that? I do not see any packages coming in on the WAN IF of my OPNsense appliance (yes, log is on, yes catchall rule defined).
Thanks in advance!
IPsec and routing in general is not transitive. The fact that you can reach A from B does not imply you can reach anything "behind A".
That means that you must add an IPsec phase 2 entry with the network of your OPNsense LAN to your VPN connection. On both sides. Using "local" and "remote" accordingly.
So on VPN gateway at "A" that network is local, on the gateway at "B" it's remote.
Thanks.
Since both VPN endpoints are Fritz.Boxes and I also have access to an OPNsense at (B), may it be easier to just build a VPN which is embedded into the IPsec tunnel (i.e. Wireshark, OpenVPN), put the origin host behind the OPNsense at (B) and let the OPNsenses take care of the routing?
If yes, how would I do that?