OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: 0xDEADC0DE on April 15, 2017, 12:08:23 am
-
I have my main office with address: 192.168.0.x/24
Office 2 with 192.168.10.x/24
Office 3 with 192.168.10.x/24
and one road warrior IPSec VPN.
How can I configure the road warrior VPN to have full access to the main office
and Office 2 and Office 3 only access to specific hosts and ports?
With ZyWALL I could configure different Zones for every VPN and assign different rules.
Here I have configured the rules based on the IP range for now, but with road warrior VPN, I don't know the IPs.
I couldn't find any good documentation or I missed it.
Thanks for your help.
-
Each remote site should be on its own separate subnet. For instance office 2&3 should not be using the same network segment, this will cause a routing problem. I only know of Cisco that can handle this properly.
You need to ensure static routes are inplace for your road warrior subnet to locate these other remote sites through the Ipsec tunnel instead of through the default WAN Gateway. You will also need static routes from the remote offices routing back to your road warrior vpn router endpoint through the Ipsec tunnel.
Firewall policies need to be configured to allow this additional network traffic to come and go for each gateway interface through the existing IPSec tunnel.
Assuming your road warrior vpn endpoint is installed at the main office. The road warrior Client will also require persistent static routes setup in the local routing table for office 2 & 3 to ensure traffic destined for remote offices goes through the VPN tunnel and not out the local device default gateway, as there isnt a direct connection from the road warrior device to these two remote networks (office 2 & 3).
-
I have changed Office 3
from 192.168.10.x/24
to 192.168.20.x/24
But still, how can I distinguish in the firewall rules between the different road warrior VPNs and the site2site VPNs?
-
Use aliases perhaps? https://docs.opnsense.org/manual/aliases.html
Bart...