Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: clownschiff on May 24, 2024, 11:07:39 AM

Title: [SOLVED] OpenVPN traffic not routed over IPsec site2site tunnel
Post by: clownschiff on May 24, 2024, 11:07:39 AM
Hi all,

I have a problemwith a firewall setup and don't know exactly how to solve this.

There is a OPNsense firewall (B) doing client VPN via OpenVPN. The firewall (B) also has a IPsec site2site tunnel to a different location (A). The problem is, that the traffic coming from the OpenVPN net is not routed over the site2site tunnel if the target is in the remote location (A).

[Location A] <----- IPsec site2site -----> [Location B OPNsense] <----- OpenVPN clients

Location A:
- 192.168.50.0/24

Location B:
- 192.168.248.0/24

OpenVPN net:
- 10.200.13.0/24
- pushed routes 192.168.50.0/24,192.168.248.0/24

If I ping a host on location B from the OpenVPN client it works. If I ping a host on location A the packet is directly routed over the WAN interface of the OPNsense and never enters the IPsec tunnel.

Can someone help me identifying this problem?
Title: Re: OpenVPN traffic not routed over IPsec site2site tunnel
Post by: Patrick M. Hausen on May 24, 2024, 11:32:44 AM
Is the OpenVPN network part of the phase 2 SA on both sides of the VPN tunnel?
Title: Re: OpenVPN traffic not routed over IPsec site2site tunnel
Post by: clownschiff on May 24, 2024, 11:42:14 AM
Thank you for your reply!

It isn't at the moment. My idea was to use outbound NAT for the OpenVPN net with the LAN IP to bypass this, because I have no access to the firewall on location A. Is this a bad idea or even possible?
Title: Re: OpenVPN traffic not routed over IPsec site2site tunnel
Post by: Patrick M. Hausen on May 24, 2024, 12:38:44 PM
The policy based routing decision is made before NAT is applied. You need to add a manual SPD entry on your side.
Title: Re: OpenVPN traffic not routed over IPsec site2site tunnel
Post by: clownschiff on May 24, 2024, 01:28:40 PM
Thank you very much for your input!

I have set up a test connection (location B to location C) with an IPsec site2site tunnel to see what is going on the other side (C). The SPD entry worked and the traffic was routed through the tunnel, although the traffic never reached the LAN interface on location C. So pinging the firewall C didn't work, although the firewall rules would allow it.

When I add a normal Phase 2 entry for the OpenVPN net it works though. Am I missing something with SPD entry?
Title: Re: OpenVPN traffic not routed over IPsec site2site tunnel
Post by: Patrick M. Hausen on May 24, 2024, 01:43:57 PM
I have a very similar setup, only difference being I use WireGuard instead of OpenVPN.

See screenshots - the key part is the manual ReqID that must match. It tells the system which phase 2 SA the manual SPD entry should be piggybacked on.
Title: Re: OpenVPN traffic not routed over IPsec site2site tunnel
Post by: clownschiff on May 24, 2024, 02:59:54 PM
Thank you very much. That worked!

I still used the legacy GUI for the IPsec tunnel (shame on me), but I reconfigured it in the new interface with your settings and now it works.

Thank you! :)
Text only | Text with Images