OPNsense Forum

English Forums => Virtual private networks => Topic started by: mliebherr on February 10, 2021, 04:45:33 pm

Title: Route OpenVPN Site into IPSec Site
Post by: mliebherr on February 10, 2021, 04:45:33 pm

Hello,

i have two Sites.

Site A with OpenVPN and connected to Site B with IPSec i dont manage.

Now i would like to route the OpenVPN Traffic into the remote IPSec Site.

I am not able to add a 2nd Phase2 Net, since this is already being used.
I want to NAT (one way) in the OPNSense which is in between.

My Setup Looks like this:

(https://i.ibb.co/S33kK7w/openvpn2ipsec.png)

I can see a icmp request coming in at the OpenVPN Tunnel interface:

~ # tcpdump -i ovpns10 -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ovpns10, link-type NULL (BSD loopback), capture size 262144 bytes
16:41:42.359229 IP 10.242.19.6 > 10.228.22.210: ICMP echo request, id 1, seq 17849, length 998

But it then leaves my WAN Interface (Default route):

~ # tcpdump -i igb1 -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:42:24.983414 IP 212.87.134.194 > 10.228.22.210: ICMP echo request, id 26116, seq 17850, length 998

And seems not beeting NATed. Why did the rule here not match?
I espected it to change it t 172.18.161.254 > 10.228.22.210

Cheers,
Michael



 

Title: Re: Route OpenVPN Site into IPSec Site
Post by: Gauss23 on February 10, 2021, 05:15:09 pm

Why do you have WAN as interface in your manual NAT rule?

Title: Re: Route OpenVPN Site into IPSec Site
Post by: mliebherr on February 11, 2021, 09:12:53 am

I changed the Interface to "Openvpn".
I cleared the NAT Table and ran the icmp Ping again.
The Ping still leaves the WAN (igb1) interface. I would have expected it to jump into my enc0 VPN tunnel?!

(https://i.ibb.co/6ZnXh3G/Outbound-NAT.png)

What am i doing wrong?

Title: Re: Route OpenVPN Site into IPSec Site
Post by: Gauss23 on February 11, 2021, 09:15:14 am

Why OpenVPN? You need to specify the outgoing interface, Try it with IPsec.

As far as I remember there was some issue with natting traffic into an IPsec policy based tunnel. Maybe someone else has to say something about that.

Title: Re: Route OpenVPN Site into IPSec Site
Post by: mliebherr on February 11, 2021, 09:35:09 am

well, you are right. I changed it to  IPSec.
However the ping still leaves the WAN (igb1) interface.
(Therefore the outbound nat rule in IPSEC will not match?)

Title: Re: Route OpenVPN Site into IPSec Site
Post by: Gauss23 on February 11, 2021, 09:51:00 am

Maybe someone else has an idea to solve that. I think this is related to the issue I have in mind. I never needed to NAT outgoing traffic into an IPsec tunnel.

Title: Re: Route OpenVPN Site into IPSec Site
Post by: mliebherr on February 11, 2021, 04:54:03 pm

Thanks for your help. At least you brought me to the right direction. :)

Solution: "Manual SPD entries" in the IPSec Phase2:

Register additional Security Policy Database entries
Strongswan automatically creates SPD policies for the networks defined in this phase2. If you need to allow other networks to use this ipsec tunnel, you can add them here as a comma-separated list.When configured, you can use network address translation to push packets through this tunnel from these networks.
e.g. 192.168.1.0/24, 192.168.2.0/24

Then the paket got passed to the enc0 interface and the Outgoing NAT Rule was hit.