OPNsense Forum

English Forums => Virtual private networks => Topic started by: spetrillo on August 29, 2022, 04:30:36 pm

Title: IPsec VPN Phase 2 Question
Post by: spetrillo on August 29, 2022, 04:30:36 pm

Ok a stupid newbie question I think...

In my phase 2 configuration I have configured the remote subnet as a single host address. Is this wrong and I should be specifying the full subnet? Please see attached screen shot.

Title: Re: IPsec VPN Phase 2 Question
Post by: Patrick M. Hausen on August 29, 2022, 04:35:25 pm

This depends on your specific setup that you agreed upon with whoever is responsible for the other end of the tunnel. The networks need to perfectly match or the connection will not be established. Sometimes people put single hosts into an IPsec tunnel, sometimes /24 or even larger.

Title: Re: IPsec VPN Phase 2 Question
Post by: spetrillo on August 29, 2022, 04:42:00 pm

Ok so I am ok on that. The reason for this question was that I was reading the OPNsense config pages and this section got me thinking bc my phase 1 is up but I cannot seem to get phase 2 tunnels to activate:

Phase 1 works but no phase 2 tunnels are connected
Did you set the correct local and remote networks. A common mistake is to fill in the IP address of the remote host instead of its network ending with x.x.x.0

Common issues are unequal settings. Both ends must use the same encryption standard.

I also added the following, per the config pages to my WAN interface. Is this ok?

Firewall Rules Site A & Site B (part 1)
To allow IPsec Tunnel Connections, the following should be allowed on WAN for on sites (under Firewall ‣ Rules ‣ WAN):

Protocol ESP
UDP Traffic on Port 500 (ISAKMP)
UDP Traffic on Port 4500 (NAT-T)

Title: Re: IPsec VPN Phase 2 Question
Post by: Patrick M. Hausen on August 29, 2022, 04:47:08 pm

If you use a single host address, the remote side must use a single host address, too.
If you use a /24, the remote side must use a /24, too.

*All* settings (including but not limited to crypto parameters and timouts) must perfectly match. Otherwise the tunnel cannot be established. One parameter, network size, ... whatever not matching - no tunnel.

Specifically you cannot alter the networks you "route into the tunnel" without cooperation of the remote side. This is one of the most frequent questions, so I'm adding it here again.

IPsec site to site assumes administrative control over both sides or at least a reasonable cooperation.

Title: Re: IPsec VPN Phase 2 Question
Post by: spetrillo on August 29, 2022, 05:09:58 pm

Yes I am trying to put a site to site tunnel to a Rackspace hosted solution. They have control over their side and I have control over my side, but I can open a ticket for help and support.

Title: Re: IPsec VPN Phase 2 Question
Post by: spetrillo on August 29, 2022, 06:24:03 pm

One additional question...

On my phase 2 entries I am specifying one host to connect to. In the screenshot it shows the host IP with a 128 next to it. I would expect to put 31 there but its greyed out. Is this ok?