OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: reep on January 06, 2017, 06:35:54 pm

Post by: reep on January 06, 2017, 06:35:54 pm
Back to playing again as I have resolved some ISP/IP issues :-)

I have run up a ipsec v2 connection to Libreswan.

I can seem to ping from the Libre end to the Opnsense box, but not the other way around.

I followed the Ipsec howto (excellent resource!) to remind myself of how to do this but stuck on this - I guess because I have missed a firewall rule somewhere.

I have the 3 basic rules set for each WAN device (so I can swap around as required - though I guess a floating rule may be better for this ?)

WAN rules. As per docs:

Protocol ESP
UDP Traffic on Port 500 (ISAKMP)
UDP Traffic on Port 4500 (NAT-T)

Ipsec rules. As per docs:

Enable all, Lan address.

The firewall seems to pass the packet out:

@57 pass out log route-to (vtnet inet from to ! flags S/SA keep state allow-opts label "let out anything from the firewall host itself"

But nothing seems to come back. I can ping the same Libre box from another ipsec connected machine and ping both ways happily.

Note that as this is in testing at the minute Opnsense is a VM on Proxmox.
The WAN IP is DHCP from a router at rather than a public IP
The LAN IP is
The Ipsec address is

From the Libre box I can ping Opnsense:
[root@test ~]# ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=51.5 ms

But a ping from Opnsense on (which has a Ipsec IP Local IP to returns nothing

Sure I fixed this when I had it running before but I just can't remember what I did !

Any assistance appreciated - just need to ping both ways to test a few things !

B. Rgds
Post by: reep on January 16, 2017, 05:39:06 pm
Hmmm. Still can't ping out across VPN. I did think at first it may be due to opnsense being on a VM, and that I then realised the VM host had the wrong gateway set (it should be pointed back to the VM itself) but I modified that with no joy.

Two things that I can see currently.

1. Cannot ping across Ipsec connection on WAN 1. I can ping from the remote host -> opnsense but nothing goes from opnsense -> ipsec remote network/host and I can't even see it being logged anywhere. I can ping any other host i.e opnsense -> rest of the world.

Routing table attached - routing.png.

WAN 1 and WAN 3 are DHCP from 2 different ADSL routers (as I am in test mode). Local network is Remote ipsec is

WAN 1 IP gateway
WAN 3 IP gateway

2. Also I just noticed this post :


Seems that the routing table is incorrect - I seemed to have the same issue if I try to use my second WAN - (I have WAN1 and WAN3)

If I have a ipsec tunnel on WAN 3 and I try to ping across the VPN it seems packets out are being routed via WAN 1.

Routing table attached routing2.png

I would expect to see:

I can also confirm that if I modify the Ipsec settings any IPSEC rules appear to disappear. If you select any other rule, Edit, and just save without modifying then the Ipsec rules reappear.

Happy to bug this if required.

B. Rgds
Post by: mickbee on January 22, 2017, 08:03:10 pm
Hi John,

did this get fixed since? curious as I've had a similar issue with routing tables being broken with one VM pfsense (and now opnsense) instance with 2 WAN connections