OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: jeuler on December 02, 2018, 06:06:51 pm

Title: OpenVPN routing (to other site connected via IPsec)
Post by: jeuler on December 02, 2018, 06:06:51 pm
Following situation: I'm currently migrating rom IPcop to OPNsense.

We have several sites, all connected together site-to-site with IPsec. For every site, there is a number of connections to every network.

One of the sites worked as a "central" OpenVPN server with push routes to all the other sites' networks. There had been IPsec tunnels to the specific OpenVPN network.

The big advantage is that an employee only has to log into one site and gets access to the complete company network.

For simplicity, let's assume two sites:

Site A
WAN: Static public IP
LAN: 172.17.1.1/23
OpenVPN server (tun) network: 172.17.2.0/24 plus option push "route 172.19.0.0 255.255.254.0"
IPsec LAN to LAN of Site B

Site B
WAN: Static public IP
LAN: 172.19.1.1/23
IPsec LAN to LAN of Site A

With the settings above, no traffic gets routed from road warrior to Site B.

So I added another IPsec phase 2 between the sites (like in the IPcop times).
On Site A local = 172.17.2.0/24 to remote = 172.19.0.0/23
On Site B local = 172.19.0.0/23 to remote = 172.17.2.0/24

In principle, this setup works (and the IPsec tunnels between the two sites still are up), but now, on Site A's OPNsense, all tunnels to Site B are greyed out on the status page — which is very irritating.

Does anyone have an idea of how to solve the issue? Several hours of looking up such a setup via Google did not lead me to a better result.
Title: Re: OpenVPN routing (to other site connected via IPsec)
Post by: jeuler on December 03, 2018, 09:03:51 pm
Update to myself:

After duplicating the respective phase 2's once again (forward and backward), the problem of all phase 2's showing some strange state (instead of "running") does not occur any more.

In the meantime, I played aroud with the "manual SPD entries" without any success.

This procedure works against an OPNsense as well as IPcop or Sophos UTM on the other side.