Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: zer0k on December 12, 2023, 01:12:45 AM

Title: IPSEC VTI Tunnel not working as PBR GW
Post by: zer0k on December 12, 2023, 01:12:45 AM
I can't quite seem to work out how to get my VTI based IPSEC tunnel working, and need another set of eyes.
The frustrating thing is it works on pfsense, and I'll be damned if I use that!

This is from an OPNsense firewall to a cloud based IPSEC termination point

I'm using Legacy mode and the tunnel appears to come up just fine and is shown in VPN status overview.
I am using a /31 as the inside tunnel addresses and they show in the routing table.

But, when I try and add a gateway and ping the inside /31 at the other end it does not work.
The gateway always shows as offline / defunct, and also doesn't work if I turn off monitoring

No traffic flows over the tunnel whether it is sourced from the firewall or an internal host.
I have tried messing with outbound NAT rules, and doing policy based routing.

Not sure where to go from here as this should be straightforward and it works in pfsense and doesn't work in opnsense.

What logs can I delve in to, or provide to try and fix it?

Title: Re: IPSEC VTI Tunnel not working as PBR GW
Post by: Monviech (Cedrik) on December 12, 2023, 11:29:46 AM
You could try to use the new Connections Menu for the VTI tunnel. I have done multiple working ones and have also helped people before with them.

Here are the docs, and also a thread where you can read about possible issues and I also pasted some configs there.

https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn-route.html

https://forum.opnsense.org/index.php?topic=36254.msg176819#msg176819

Also, careful with the tunables. Read the whole thread beforehand. (I mean System: Settings: Tunables: etc...)
Title: Re: IPSEC VTI Tunnel not working as PBR GW
Post by: zer0k on December 13, 2023, 06:42:18 AM
Tried your approach using the new connections method and got a little closer.
The firewall can now ping the inside /31 of the other end, but clients can't pass traffic.

Seems like maybe a NAT issue, or some weird setting somewhere.

I have not added a route, as I want to use PBR to send all traffic from specific hosts over the tunnel, so ideally I want to use a firewall rule, and specify the VTI interface as the gateway

Single gateway pointing at the VTI interface looks good and health monitoring is working.
If I try and set the VTI interface as the gateway in a firewall rule I get these errors immediately, but I'm not sure if it's cosmetic or a show stopper?
You can't set an IP address on the interface because it's a tunnel interface

Error   firewall   There were error(s) loading the rules: no IP address found for ipsec10ip   
Error   firewall   /usr/local/etc/rc.reload_all: The command '/sbin/pfctl -f /tmp/rules.debug.old' returned exit code '1', the output was 'no IP address found for ipsec10ip /tmp/rules.debug.old:50: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded'   
Error   firewall   There were error(s) loading the rules: no IP address found for ipsec10ip   
Error   firewall   /usr/local/etc/rc.newwanip: The command '/sbin/pfctl -f /tmp/rules.debug.old' returned exit code '1', the output was 'no IP address found for ipsec10ip /tmp/rules.debug.old:50: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded'
Text only | Text with Images