OPNsense Forum
Archive => 19.7 Legacy Series => Topic started by: x2416 on November 12, 2019, 10:35:53 pm
-
I have an IPSec setup which is established. The routes necessary for it aren't put in place correctly. It keeps adding them when the tunnel comes up, but assigning them to the WAN interface.
I can delete the route (which allows the opnsense itself to ping through the tunnel), but nothing behind it works.
Is this a bug? Most documentation says to add a gateway selecting the IPSEC interface, but I can't find it.
Jeff
-
Your post is missing some essential information like is it a routed IPsec or policy based?
Can you give examples with real IP addresses?
Which guide did you follow to set up the tunnel?
-
Sure.
Phase 1 is the outside ip address for me and outside ip address of the peer. It's followed by the encryption settings for the tunnel. Phase 1 completes.
Phase 2 is
Local Subnet: LAN
Remote Subnet: 10.200.1.0/16
Encryption settings match the connection I'm trying to establish. Phase 2 completes.
I can ping from the remote site to the local LAN address. I see it's traffic in opnsense on enc0 using tcpdump.
If I delete the route (route del 10.200.0.0/16), I can then ping through the tunnel to the remote site, but only from the opnsense. I cannot ping through this tunnel from anything behind it.
Alternatively, I can ping from the remote site through the tunnel to the LAN address and anything on it, but when it replies, the reply gets to this OPNSense where IPSec is terminated, and then stops. It never goes through the tunnel according to TCPDUMP.
I thought (following most guides), that I'd be able to setup an interface under Interface Assignments and then add a GW, so that I could add a route. (Remember: the route gets put in place 10.200.0.0/16, but it's assigned to the outside internet connection vtnet, not ipsec.)
As far as I can tell, it's a bug. I found another post where someone said they could get to the interface for IPSec if they goto interfaces.php?if=enc0, and I can also, but changing it's name and/or settings makes no difference. It still does not show up in any interfaces.
At a loss on what to do next. :-)
Thanks to anyone who could comment and assist.
-
So, when you use type = tunnel and not routed ipsec, you dont need any gateway. You only define the networks left and right and you are good. Be sure you have "Install Policy" in Phase1 activated and "Install Routes" in Advanced (both is default).
Also when it's related to incoming connectecions ... reverse order .. you have to allow this in IPsec rules tab which will pop up when you enable IPsec.