Text only | Text with Images

OPNsense Forum

Archive => 23.1 Legacy Series => Topic started by: JonasBesbrugge on June 27, 2023, 04:45:31 PM

Title: Routing between 2 site vpn networks (Zyxel nebula and tinc vpn) over VTI tunnel.
Post by: JonasBesbrugge on June 27, 2023, 04:45:31 PM
Hi all,

I try to make vpn connection to connect 2 vpn site networks.

1 is zyxel-nebebula (192.168.225.0/24; 192.168.195.0/24)
1 is Tinc vpn on opnsense. (192.168.224.0/24; 192.168.223.0/24)
   

Between the 2 I have set up an VTI-ipsec tunnel and I can route traffic to both ends of this tunnel. 192.168.224.0/24 <---> 192.168.225.0/24
Form te Nebula sitewide network can access the GW/FW. I created policy based routes.
192.168.195.0/24  192.168.224.0/24
What does not work jet is,  that  I can't acces my zyxel GW/FW the form tinc vnp network.
192.168.223.0/24 <---> 192.168.225.0/24

My plan on the 224.254 GW/FW was to  :
I add the far site (225) network on the tinc host subnet.

Is this idea correct? Or am i missing someting?
See my schema for more context.

kind regards
Title: Re: Routing between 2 site vpn networks (Zyxel nebula and tinc vpn) over VTI tunnel.
Post by: userbenutzer on June 27, 2023, 08:24:34 PM
I dont understand your picture, sorry.

But i think policy based and VTI is not correct.

If you want to connect the 2 networks then it can be policy based and you have to setup the mode to "tunnel" in phase 2.

If you want to route over the networks (reach another network behind) you have to set the mode "route based" and then you have a VTI (Virtual Tunnel Interface) only for the ipsec. Then you also have to add a gateway and set routes on both sides. And make sure you have unchecked policy based in phase 1.
Title: Re: Routing between 2 site vpn networks (Zyxel nebula and tinc vpn) over VTI tunnel.
Post by: danderson on June 27, 2023, 09:36:11 PM
exactly this, you are talking 2 different types of VPNs.   VTI would be required on both sides and then a return route added on both sides or use dynamic routing w/BGP or OSPF.

If policy based then you need to set the policies on both sides so that the correct traffic gets tunneled.

Quote from: userbenutzer on June 27, 2023, 08:24:34 PM
I dont understand your picture, sorry.

But i think policy based and VTI is not correct.

If you want to connect the 2 networks then it can be policy based and you have to setup the mode to "tunnel" in phase 2.

If you want to route over the networks (reach another network behind) you have to set the mode "route based" and then you have a VTI (Virtual Tunnel Interface) only for the ipsec. Then you also have to add a gateway and set routes on both sides. And make sure you have unchecked policy based in phase 1.
Text only | Text with Images