Text only | Text with Images

OPNsense Forum

Archive => 24.1, 24.4 Legacy Series => Topic started by: mliebherr on April 18, 2024, 12:31:02 PM

Title: How to IPSec Route 0.0.0.0 without breaking the CARP
Post by: mliebherr on April 18, 2024, 12:31:02 PM
Hello,

a customers remote site wants to have 0.0.0.0 as remote net in IPSec.
However, if we set this, the Carp Traffic will follow that route, too.

Therefore my HA-Setup breaks becaue the HA Nodes do not reach each other any more.

How do you set up IPsec with a remote net 0.0.0.0 without breaking the local Carp Address?

Thanks,
Michael
Title: Re: How to IPSec Route 0.0.0.0 without breaking the CARP
Post by: Monviech (Cedrik) on April 18, 2024, 02:03:46 PM
A policy based VPN with 0.0.0.0? It installs policies with kernel routes.

What you need is probably a VTI based IPsec Tunnel, with that you can manually control the routes.

https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn-route.html
Text only | Text with Images