OPNsense Forum

English Forums => General Discussion => Topic started by: hhk on February 08, 2019, 08:07:55 am

Title: How to route networks accross site-to-site IPsec-VPN tunnel ?
Post by: hhk on February 08, 2019, 08:07:55 am

Hi All, I am trying to route b/w two sites over the VPN in the following scenario.


10.10.11.0/24 ----[Opnsense A]<---ipsec vpn --->[Opnsense B]---172.16.1.0/24---[Router] --- Network [ 10.10.12.0/24, 10.10.13.0/24 ... ]


From 10.10.11.0/24 I can reach 172.x.x.x  however I cant reach 10.10.12.0/24,10.10.13.0/24 etc networks.

I created a gateway 172.16.1.1 (opnsense B Lan IP). Tried both int LAN/WAN and put in a static route in Opnsense A pointing 10.0.0.0/8 to 172.16.1.1.

When I start a ping from 10.10.11.2 I get the following from Opnsense A. Looks like it sees 172.16.1.1 as a LAN network and is doing ICMP re-direct.

PING 10.10.12.1 (10.10.12.1): 56 data bytes
36 bytes from 10.10.11.2: Redirect Host(New addr: 172.16.1.1)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 f0ae   0 0000  40  01 6f33 10.10.11.2  10.10.12.1

I guess there is something broken with my route. Using farside host as the next hop does not seem to be working.
How do I specify a route with ip-sec tunnel as the next hop ??.
Your input is much appreciated.
Thx

Title: Re: How to route networks accross site-to-site IPsec-VPN tunnel ?
Post by: bartjsmit on February 08, 2019, 08:41:57 am

You need a static route for 10.10.11.0/24 on the router behind B (marked -[Router]- in your diagram) via 172.16.1.1 and also one for the IPSec tunnel subnet, unless your VPN is in transport mode.

Bart...

Title: Re: How to route networks accross site-to-site IPsec-VPN tunnel ?
Post by: hhk on February 08, 2019, 11:08:59 am

@Bart thanks for taking a look.
I already had the static route in the Router for Site A subnet. I am actually able to telnet to the router from Site A. Meaning I can get to anything in 172.16. network.
I turned on Packet capture on Site B IpSec interface. Tried to capture my host IP in Site A when pinging to 10.10.12.0/24,10.10.13.0/24 networks. I do not see anything. I am able to capture the pkts when pinging the router 172.16.x.x address. This tells me Site A is not sending traffic destined for 10.10.12.x over the tunnel.
I think my static routes on the firewall are broken. Would you happen to have an example of how the static routes are configured in this scenario ?.

Title: Re: How to route networks accross site-to-site IPsec-VPN tunnel ?
Post by: bartjsmit on February 08, 2019, 04:37:54 pm

I was going to suggest packet capture ;-)

System, Routes, Configuration. The status page shows the current routing table.

Bart...

Title: Re: How to route networks accross site-to-site IPsec-VPN tunnel ?
Post by: hhk on February 08, 2019, 09:10:28 pm

I was able to fix this by creating a second IKE phase 2 entry under my Tunnel Settings. That adds the necessary routes in the routing table.
It seems doing a static recursive route to far side VPN destination is not the supported method of doing this.