OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: sc0ttjm on October 05, 2020, 07:40:54 pm

Title: IPSEC VPN from DrayTek3900 to OpnSense with 2 Subnets
Post by: sc0ttjm on October 05, 2020, 07:40:54 pm

I tried to find a guide on how to setup an IPSEC VPN between a DrayTek Vigor 3900 and OpnSense but couldn't find one anywhere.

I eventually worked it out and got it working which is great (if anybody wants to know how I did it, just let me know), BUT then I realised that the DrayTek has 2 x Subnets that both need to be accessible from clients on the other side of the OpnSense firewall.

I found this guide on the DrayTek website: https://www.draytek.com/support/knowledge-base/5428#linux (https://www.draytek.com/support/knowledge-base/5428#linux)

If you look at "Case 2: Vigor3900 has two local networks while the VPN Peer has one" This is Exactly my scenario.
I've followed this guide but I can only connect to devices on the first subnet and not the second.

The only thing I think of is, could it be because of the security used on the IPSEC tunnel as in the images on the page the connections are green and mine are purple, which means they are IKEv2 Tunnels?

This is my setup (IP's Changed)

DataCentre
Make/Model   OpnSense Business Edition
LAN Address   10.0.3.0
LAN Subnet Mask   255.255.255.0
Router IP Address   10.0.3.1
Public IP Address   1.1.1.1
VPN Profile Name   IN_Site_1
Call Direction   IN
IKE   IKEv2
   
   Site 1
Make/Model   DrayTek Vigor 3900
LAN Address   10.0.1.0 & 10.0.2.0
LAN Subnet Mask   255.255.255.0
Router IP Address   10.0.1.1
Public IP Address   2.2.2.2
VPN Profile Name   Out_DataCentre
Call Direction   Out
IKE   IKEv2

Result, Tunnel up and I can ping devices on 10.0.1.0 from 10.0.3.0, I can ping devices on 10.0.3.0 from devices on 10.0.1.0, I cannot ping devices on 10.0.2.0 from 10.0.3.0 and vice versa.

Can anybody help?
Thanks

Title: Re: IPSEC VPN from DrayTek3900 to OpnSense with 2 Subnets
Post by: banym on October 05, 2020, 10:43:51 pm

Can you please post some screenshots of your phase2 configurations and the rules on IPsec interfaces of both sides.

Title: Re: IPSEC VPN from DrayTek3900 to OpnSense with 2 Subnets
Post by: sc0ttjm on October 06, 2020, 11:15:13 am

As requested, please find attached images showing my setup on both the OpnSense and DrayTek Routers:
I can't find how to display them in the post (is there a guide on how to use this forum?)

Title: Re: IPSEC VPN from DrayTek3900 to OpnSense with 2 Subnets
Post by: sc0ttjm on October 06, 2020, 01:21:10 pm

HELP - I tried changing both Phase 2 connections from the default option to routed and now I've lost connection to the box completely, I've seen this elsewhere in the forums but I can't find how to fix it again other than reverting to factory defaults which I really don't want to do.
Please can you help?
Is there a way to undo what I did from the shell?

Thanks in advance!

Title: Re: IPSEC VPN from DrayTek3900 to OpnSense with 2 Subnets
Post by: banym on October 06, 2020, 09:05:28 pm

Yes you can revert to a backup configuration or an earlier configuration state using gui or shell.