Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: tuaris on June 08, 2024, 09:05:29 AM

Title: Need help troubleshooting route based IPSec tunnel
Post by: tuaris on June 08, 2024, 09:05:29 AM
I just realized that I have been posting my question in the wrong forum, wondering why I'm not getting an answer.  :P.

What I have and currently works

I have a functional route based IPSec VPN tunnel using the instructions at https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html.

Site A: LAN=192.168.1.0/24 WAN=1.2.3.4
Site B: LAN=192.168.8.0/24 WAN=4.3.2.1

Phase 2 Local address at Site A: 10.192.168.1
Phase 2 Local address at Site B: 10.192.168.8
Phase 2 Remote address at Site A: 10.192.168.8
Phase 2 Remote address at Site B: 10.192.168.1

Gateways added on each site, and static routes exists for making sure the 192.168.1.0/24 can talk to 192.168.8.0/24 and vice versa.

Good so far.

Context

For the purpose of simplification, there is a website http://showthisip.com that displays my public IP address.  That host name resolves to 63.247.147.167.

At Site A, when I visit that website from a client on the 192.168.1.0/24 subnet, I am shown the IP address 1.2.3.4, which is expected.  That's the public IP of the WAN interface of OPNsense at Site A.

At Site B, when I visit that website from a client on the 192.168.8.0/24 subnet, I am shown the IP address 4.3.2.1, which is expected.  That's the public IP of the WAN interface of OPNsense at Site B

What I want to do

I want, when I visit that website using a client on the 192.168.1.0/24 subnet at Site A, to show the IP address: 4.3.2.1.  The public IP of the WAN interface at Site B.  In other words, I would like to route traffic leaving Site A  for 63.247.147.167 through the VPN tunnel I setup previously so that http://showthisip.com thinks I am at Site B

I add a firewall rule on the IPsec interfaces (both sites) to allow all traffic in.  Then I proceed to add a static route at Site A:

Network Address: 63.247.147.167
Gateway: 10.192.168.8

I open my browser at Site A, type in the website address... and it times out.

I trace route and see:

Code Select
traceroute -n 63.247.147.167
traceroute to 63.247.147.167 (63.247.147.167), 64 hops max, 40 byte packets
1  192.168.1.1  0.347 ms  0.272 ms  0.158 ms
2  10.192.168.8  151.799 ms  151.946 ms  151.913 ms
3  * * *
4  * * *
5  * * *


Am I missing another firewall rule?
Text only | Text with Images