OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: reep on January 06, 2017, 06:35:54 pm
-
Back to playing again as I have resolved some ISP/IP issues :-)
I have run up a ipsec v2 connection to Libreswan.
I can seem to ping from the Libre end to the Opnsense box, but not the other way around.
I followed the Ipsec howto (excellent resource!) to remind myself of how to do this but stuck on this - I guess because I have missed a firewall rule somewhere.
I have the 3 basic rules set for each WAN device (so I can swap around as required - though I guess a floating rule may be better for this ?)
WAN rules. As per docs:
Protocol ESP
UDP Traffic on Port 500 (ISAKMP)
UDP Traffic on Port 4500 (NAT-T)
Ipsec rules. As per docs:
Enable all, Lan address.
The firewall seems to pass the packet out:
@57 pass out log route-to (vtnet 192.168.1.1) inet from 192.168.1.13 to ! 192.168.1.0/24 flags S/SA keep state allow-opts label "let out anything from the firewall host itself"
But nothing seems to come back. I can ping the same Libre box from another ipsec connected machine and ping both ways happily.
Note that as this is in testing at the minute Opnsense is a VM on Proxmox.
The WAN IP is DHCP from a router at 192.168.1.13 rather than a public IP
The LAN IP is 10.0.0.251
The Ipsec address is 192.168.97.1
From the Libre box I can ping Opnsense:
[root@test ~]# ping 10.0.0.251
PING 10.0.0.251 (10.0.0.251) 56(84) bytes of data.
64 bytes from 10.0.0.251: icmp_seq=1 ttl=64 time=51.5 ms
But a ping from Opnsense on 10.0.0.251 (which has a Ipsec IP Local IP 192.168.1.13) to 192.168.97.1 returns nothing
Sure I fixed this when I had it running before but I just can't remember what I did !
Any assistance appreciated - just need to ping both ways to test a few things !
B. Rgds
John
-
Hmmm. Still can't ping out across VPN. I did think at first it may be due to opnsense being on a VM, and that I then realised the VM host had the wrong gateway set (it should be pointed back to the VM itself) but I modified that with no joy.
Two things that I can see currently.
1. Cannot ping across Ipsec connection on WAN 1. I can ping from the remote host -> opnsense but nothing goes from opnsense -> ipsec remote network/host and I can't even see it being logged anywhere. I can ping any other host i.e opnsense -> rest of the world.
Routing table attached - routing.png.
WAN 1 and WAN 3 are DHCP from 2 different ADSL routers (as I am in test mode). Local network is 10.0.0.0/24 Remote ipsec is 192.168.97.0/24
WAN 1 IP 192.168.1.11 gateway 192.168.1.1
WAN 3 IP 192.168.2.11 gateway 192.168.2.1
2. Also I just noticed this post :
https://forum.opnsense.org/index.php?topic=1803.msg5647
Seems that the routing table is incorrect - I seemed to have the same issue if I try to use my second WAN - (I have WAN1 and WAN3)
If I have a ipsec tunnel on WAN 3 and I try to ping across the VPN it seems packets out are being routed via WAN 1.
Routing table attached routing2.png
I would expect to see:
192.168.97.0/24 192.168.2.1
I can also confirm that if I modify the Ipsec settings any IPSEC rules appear to disappear. If you select any other rule, Edit, and just save without modifying then the Ipsec rules reappear.
Happy to bug this if required.
B. Rgds
John
-
Hi John,
did this get fixed since? curious as I've had a similar issue with routing tables being broken with one VM pfsense (and now opnsense) instance with 2 WAN connections
thanks!
Mike