Hi,
I have a problem and can´t find any solutions.
I am migrating from RouterOS to Opnsense, I have a problem where I want a client connected with wireguard to opnsense be able to access a remote site connected via IPSec.
Client Wireguard (Instance : 172.17.32.193/28) -------> Opnsense (LAN : 172.19.1.0/24) -------IPSec--------> remote Site (10.70.38.0/24)
Maybe someone have some tips for me.
Part of my setup:
- 2x WAN
- IPSEC Connections (new method)
- WireGuard with multiple interfaces
- Wireguard Interface Rules has a ANY rule WG0 (used for my test)
IPSec configuration :
Local Nets : 172.19.1.0/24
Remote Nets : 10.70.38.0/23
If I use traceroute since Opnsense with Hostname/IP : 10.70.38.56, Protocol : ICMP, Source address : 172.19.1.253 (GW LAN/Interface address) it works. The packet passes through the 2 public IPs (Local and Remote).
If I use traceroute since Wireguard client to remote site connected with ipsec don't work. Details :
traceroute to 10.70.38.56 (10.70.38.26), 30 hops max, 60 byte packets
1 172.17.32.193 (172.17.32.193) 10.994 ms 10.879 ms 10.855 ms
2 * * *
I tried to create :
- a "dynamic" gateway and disabled routing in the wireguard config.
- a static route and specify GW (172.17.32.193(LAN GW)) or 172.17.32.192(WG GW). (like on RouterOS)
- a rule NAT Outbound : Interface:WG0 Src address: :172.19.1.0/24 Dst adress:10.70.38.0/23 Transition :Interface address
The same behavior. I can´t reach the IP behind the ipsec tunnel.
Thank you in advance for your help.
Similar problem :
https://forum.opnsense.org/index.php?topic=41037.msg201152#msg201152 (https://forum.opnsense.org/index.php?topic=41037.msg201152#msg201152)
IPsec needs to know all networks that pass through it via SPD (Security Policy Database). Even if you do a NAT before sending packets into a tunnel.
SPDs get added automatically by adding children, and additional manual entries can be added when going to "VPN - IPsec - Security Policy Database - Manual".
Thank you for your help.
Context: NAT Forward is not present for Wireguard and Ipsec because they are on the Opnsense himself.
I have tried to add 172.19.1.0/24 (in source) manually in the SPD but the result is identical.
This SPD get added automatically :
Source Destination Tunnel endpoints
172.17.32.193/28[any] 10.70.38.0/23[any] 172.20.0.253->IP_Public_Remote_Site
IP "172.20.0.253" in the Tunnel is a second LAN but not the one mentioned in IPSEC.
In your case you would need to add more networks into your IPsec Connections child (Phase 2) on both sides of the IPsec tunnel.
The OPNsense needs the Wireguard Net as additional local network.
And on the Remote Side, the same configuration has to be made the other way around. There the remote nets have to include the Wireguard net.
--------
Another Option is SNAT: The manual SPD entry would be used to circumvent the need to adjust the Remote Site VPN tunnel, since you would SNAT the Wireguard Network to an Interface IP address of a local network (of the OPNsense) that the remote site already knows. For that, the SPD entry then has to include the Wireguard net.
Thanks for your reply, the problem has been solved and it's thanks to you for pointing me in the right direction.
To solve the problem you need to :
Create a manual SPD in VPN > IPSEC > Security Policy Database :
- Source network = IP WG Instance : 172.17.32.193/28
- Destination network : empty
Created a SNAT rule in Firewall > Automation > Source NAT :
- Do not NAT : Uncheck
- Interface : Ipsec
- Source address = IP WG Instance : 172.17.32.193/28
- Destination = Range IP Remote site IPSec : 10.70.38.0/23
- Translation = LAN GW : 172.19.1.253 (of the network specified in Local NETs in IPSec children)
Last question:
I specified a number (1) on the ReqID in order to apply the manual SDP entry (my WG network) on all remote sites/connections. However, if I select an entry in "Connection child", the manual SDP entry will only apply to one remote site/connection.
Does this number need to be specified in all connection children as a best practice? It works without specifying it.
Hey it's nice that you got it solved.
The manual reqid is for special cases, like VTI interfaces.
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn-route.html
For all other configurations leaving it empty for auto assignement is the best.