Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: ao on March 27, 2023, 03:47:17 PM

Title: I have two sites with IPsec tunnel… only one Phase II LAN works
Post by: ao on March 27, 2023, 03:47:17 PM
1. I have two sites with IPsec tunnel... one LAN works both ways, but additional LANs do not - thet are configured as per attachment.
Title: Re: I have two sites with IPsec tunnel… only one Phase II LAN works
Post by: ao on March 27, 2023, 03:48:51 PM
While three LANs configured for Phase II - only one LAN works ... (see attachement)
Title: Re: I have two sites with IPsec tunnel… only one Phase II LAN works
Post by: ao on March 27, 2023, 03:50:19 PM
3. The Phase 1 seems to work fine ... (see attached)
Title: Re: I have two sites with IPsec tunnel… only one Phase II LAN works
Post by: ao on March 27, 2023, 03:52:55 PM
Phase II seems to setup routes  OK ...
Phase II seems to setup security Policy DB  OK ...
The IP Secs firewalls are open ...
Nothing obvious in log files ...

Looking for advice on where to look next please  :)
Title: Re: I have two sites with IPsec tunnel… only one Phase II LAN works
Post by: Patrick M. Hausen on March 27, 2023, 03:58:13 PM
The other side has all three networks as local? Have you tried enabling tunnel isolation?
Title: Re: I have two sites with IPsec tunnel… only one Phase II LAN works
Post by: ao on April 11, 2023, 01:36:27 PM
Thank You - I finally got help - it is not obvious but need to have matching rule on each end for reverse route ...
Title: Re: I have two sites with IPsec tunnel… only one Phase II LAN works
Post by: Patrick M. Hausen on April 11, 2023, 01:55:19 PM
This is obvious ;) In a static tunnel setup all participating sites need full information. Unless default routes/SAs are in place, of course.

Glad you got it working.
Text only | Text with Images