Hello,
I have setup an IPSec VPN between Debian 11 with Libreswan and my OPNsense box.
Phase 2 config is allowing one /24 subnet to talk to a remote /24 subnet.
So far, from the Libreswan side, I can ping and RDP to remote machines attached to the OPNSense LAN just fine.
However, there's no communication from OPNSense LAN to Libreswan LAN.
Only one side of the tunnel seems to work.
Libreswan configuration :
https://hastebin.milkywan.fr/isopitazit.apache
OPNSense configuration is the following.
IKEv2 Phase 1 :
(https://pix.milkywan.fr/LW3gEwC4.png)
(https://pix.milkywan.fr/5ZOHKiQw.png)
Phase 2 :
(https://pix.milkywan.fr/FkoqVuRY.png)
(https://pix.milkywan.fr/wYyzaazm.png)
Child SA status on OPNSense :
Routing table for remote Libreswan subnet from OPNSense :
(https://pix.milkywan.fr/oY1KlBR5.png)
Firewall configuration for IPSec interface :
(https://pix.milkywan.fr/tG5rLmEY.png)
Thank you.
Libreswan logs :
https://hastebin.milkywan.fr/diwibobisi.apache
After doing a tcpdump on the Debian machine, I can see the remote ping comming from the IPSec tunnel.
This is my sysctl config :
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.ip_forward = 1
Maybe some of these settings are the issue, or maybe I need NAT ?
Solution to the issue :
Add NAT rule using nftables on the Debian Libreswan box because there's no way to configure custom routing on my ISP box.
Tweak Windows 10 firewall to allow ICMPv4 Echo replies and requests from any subnet.
Everything works OK now.