So far this seems like a pretty straightforward thing to do, but it's only working partitially and I have no clue as to why. And I got lost in way to many posts like this one and helpful sites explaining stuff about ipsec. I really hope someone here can shed some light on this.
setup:
remote site | host R --- FW R === WAN_NAT L == FW L --- host L | local site
Net R: host R, FW R
Net DMZ: WAN_NAT L, FW L
Net L: FW L, host L
FW R:
* single opnsense box
* local ident: FW R public ip (static)
* remote ident: WAN_NAT L public ip (static)
WAN_NAT L:
* business dsl router only used for pppoe
* DMZ: CARP IP NET DMZ FW L
* NAT from NET DMZ to public ip (static)
FW_L:
* HA-setup with tunnel originating from host-ip (not the carp virtual ip)
* NAT from CARP in NET L to CARP in NET DMZ
* Outbound NAT: NET L to ! NET L via CARP IP NET L FW L
* local ident: WAN_NAT L public ip (static)
* remote ident: FW R public ip (static)
fw rules (FW R & FW L):
* allow everything on IF ipsec
connectivity (icmp/ssh/https):
Host R -> FW L: no
Host R -> Host L: no
Host L -> FW R: yes
Host L -> Host R: yes
FW R -> FW L: no
FW L -> FW R: no
FW R "ipsec statusall"
Status of IKE charon daemon (weakSwan 5.6.3, FreeBSD 11.1-RELEASE-p10, amd64):
uptime: 45 minutes, since Jun 28 13:44:15 2018
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock counters
Listening IP addresses:
<public IP FW R>
<NET R IP FW R>
Connections:
con1: <public IP FW R>...<public IP FW L> IKEv2, dpddelay=30s
con1: local: [<public IP FW R>] uses pre-shared key authentication
con1: remote: [<public IP FW L>] uses pre-shared key authentication
con1: child: <NET R> === <NET L> TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
con1[1]: ESTABLISHED 45 minutes ago, <public IP FW R>[<public IP FW R>]...<public IP FW L>[<public IP FW L>]
con1[1]: IKEv2 SPIs: af539d1d52e4b970_i db82b64dfdb13183_r*, pre-shared key reauthentication in 6 hours
con1[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
con1{3}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c9b931a6_i ccc8da4d_o
con1{3}: AES_CBC_256/HMAC_SHA2_512_256/MODP_2048, 65187 bytes_i (900 pkts, 0s ago), 152716 bytes_o (929 pkts, 0s ago), rekeying in 39 minutes
con1{3}: <NET R> === <NET L>
FW L "ipsec statusall"
Status of IKE charon daemon (strongSwan 5.6.3, FreeBSD 11.1-RELEASE-p10, amd64):
uptime: 47 minutes, since Jun 28 13:44:19 2018
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 10
loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock counters
Listening IP addresses:
<NET DMZ IP FW L>
<NET DMZ CARP IP FW L>
<HA SYNC IP>
<NET L IP FW L>
<CARP IP NET L FW L>
Connections:
con1: <NET DMZ IP FW L>...<public IP FW R> IKEv2, dpddelay=300s
con1: local: [<public IP FW L>] uses pre-shared key authentication
con1: remote: [<public IP FW R>] uses pre-shared key authentication
con1: child: <NET L> === <NET R> TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
con1[1]: ESTABLISHED 47 minutes ago, <NET DMZ IP FW L>[<public IP FW L>]...<public IP FW R>[<public IP FW R>]
con1[1]: IKEv2 SPIs: af539d1d52e4b970_i* db82b64dfdb13183_r, pre-shared key reauthentication in 6 hours
con1[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
con1{5}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ccc8da4d_i c9b931a6_o
con1{5}: AES_CBC_256/HMAC_SHA2_512_256/MODP_2048, 1509939 bytes_i (2455 pkts, 1s ago), 301572 bytes_o (1971 pkts, 1s ago), rekeying in 37 minutes
con1{5}: <NET L> === <NET R>
What seems to be a bit weird to me is that there is no part like
Routed Connections:
con1{2}: ROUTED, TUNNEL, reqid 2
con1{2}: <NET X> === <NET Y>
like on another ipsec connection we have running. Is this part even needed?
So, in the end it comes down to two questions:
1) what went wrong regarding connectivity?
2) (bonus) how do I get a failover tunnel from an HA-FW to another site?
If there is more info needed I would be happy to provide that. All boxes are running 18.1.10 btw.
Did you check this already? https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html
Cheers,
Franco
Stop Tunnels and start ping in host L and check the logs of FW L
P.S.: I for myself prefer ID private IP instead of WAN IP
Quote from: franco on June 29, 2018, 01:13:09 PM
Did you check this already? https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html
Cheers,
Franco
No, I did not figure I need to, since I do not have the same network in use in multiple locations. Do I still need to use BINAT, and if so, why?