Hey folks,
long story short:
Problem:
Network A does not receive the responses from network B
RCA:
- The networks are connected via IPSec IKEv2 site-to-site
- Phase 1 proposal and authentication are the same here
- Both have a static public IPv4 address
- Network A has 5 local networks in phase 2
- Network B has 2 local networks in phase 2
- Network A has 10 entries in phase 2: Each network from A (local) to each network in network B (local)
- There are 8 entries on network B in phase 2: Each network from B (local) to each network in network A (local)
- Network A operates the OpenVPN. This has its own additional network, which is why there are also 2 more phases so that they come to both local network B networks
- Network A IPSec interface rules from the networks of A and B each as source and destination
- Network A IPSec interface rules from the networks of B and A each as source and destination
- IPSec tunnels are available on both sides according to the status overview
- Network A ping to network B IPs not possible
- Network B ping to network A IPs possible
Found discrepancies - does an allow all rule fix them?
- An allow all rule works - is it because some rules are missing?
Drill deeper:
- I have created a description in the allow all rule that I can filter in Live View
- I created a ping that was not possible before and filtered it out in Live View with allow all rule
- I have analyzed this and found that the following type of rule is needed:
- - Interface: IPSec
- - Type: Pass
- - Direction: in
- - Source: net1 Network A
- - Destination: net1 Network B
Oh wonder of wonders - exactly this rule exists...
After lengthy research, we can't understand why the IPSec interface rules in network B don't seem to work. They are all enabled and having no special configurations - just interface, dir, source, destination.
Any ideas?
Quote from: germebl on June 14, 2024, 12:36:45 AM
...
Any ideas?
There's a dedicated forum for VPN questions: https://forum.opnsense.org/index.php?board=36.0
What OPNsense version(s) are you using ?
Are you using Policy or Route based IPsec ?
How does your topology look like ?
Does Router A allows both UDP 500 and ESP traffic from destination B on WAN interface ?
QuoteThere's a dedicated forum for VPN questions
I wasn't sure if the problem was specific enough to IPsec Issue for the forum section.
QuoteWhat OPNsense version(s) are you using ?
OPNsense 24.1.8-amd64
FreeBSD 13.2-RELEASE-p11
OpenSSL 3.0.13
QuoteAre you using Policy or Route based IPsec ?
https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html
QuoteHow does your topology look like ?
In what way - is that not clear enough from the description above?
- 2 sites, OPNsense, with Public IP
Site A networks: 5 private networks incl. OpenVPN network
Site B networks: 2 private networks
Both sites connected using this IPSec method:
https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html
QuoteDoes Router A allows both UDP 500 and ESP traffic from destination B on WAN interface ?
Both allowing each other ESP, UDP 500, UDP 4500.
Tiny update:
We added the Phase 2 for the OpenVPN network on Network B - it was missing. But dont changes the problem, that we actually need a floating rule on all Interfaces which allows as source all Networks from Network A & B.
There are connections, which use that rule, instead of the correct created ones. As i said i checked the Live View Logs from the firewall and there are connections, which are already allowed by the correct Rules from IPSec interface but only match to the Floating Rule. Without the floating rule we cant reach Network B from Network A.
Example:
I try to connect to a remote terminal server (windows server) via rdp, the following entry in the live view:
Interface:IPsec
Dir: in
Protocol: TCP
Source: 10.242.0.4 (OpenVPN Network - Client IP of my computer)
Destination: 10.0.0.33 (Internal IP of terminal server)
And in the same second there is a outbound:
Interface: LAN
Dir: out
Protocol: TCP
Source: 4.3.2.1 (WAN address of Site B)
Destination: 10.0.0.33 (Internal IP of terminal server)
So i would need the following rules on Network B:
Type: Pass
Interface: IPsec
Dir: In
Protocol: TCP
Source: OVPN net
Destination: LAN net
and
Type: Pass
Interface: LAN
Dir: out
Protocol: TCP
Source: WAN address
Destination: LAN net
Both these rules exist....
----------------------------
I may have found the solution:
We didn't create rules in the IPSec interface that had their own networks as destination and any as source, as in the instructions, but always used network against network so that a source was always defined.
However, since the IPSec interface is used for more than just network against network, I have now changed the rules so that the source is any.
However, I cannot test this (remove the floating allow all rule) as long as I am not present in Site B, as otherwise Site B may not be accessible in the worst case.
I will report back with my findings at the beginning of next week when I am on site B.
Drove to Site B....Isolated the allow all rule until i found whats missing.
How i analyzed:
- Created Rule on Site B for all interfaces, any direction, all Networks & IPs to every destination
- Eliminated Network and IPs from that rule, until i found the Site B WAN address
- Eliminated Interfaces until i found its Site B Net A
- Ping from Site-A-OpenVPN-net to Site-B-A-net
- Checked Live log: Matched to: LAN Interface, Direction out, Source Site B WAN address, destination pinged server
I dont think that we need such rule - do you?
We have on Site B NAT Outbound Rule for LAN interface which translates to the Site B WAN address. Sounds more like a NAT issue?
I would appreciate it if someone could give me a hand - I'm running out of ideas. :-[