OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: WallaceTechUK on September 19, 2017, 11:46:19 am
-
Hi Guys.
Hope someone can push me in the right direction. I have two OpenSense servers at two separate locations. for example i have
Site A
Subnet 192.168.1.0
Subnet 192.168.2.0
Subnet 192.168.3.0
Site B
Subnet 192.168.4.0
Subnet 192.168.5.0
Subnet 192.168.6.0
Now i have followed the example in the Wiki see. https://wiki.opnsense.org/manual/how-tos/ipsec-s2s.html?highlight=vpn
I can start the VPN and i can pass traffic from 192.168.1.0 to 192.168.4.0 back and forth. Is there something i am missing to allow multiple subnets to be used as part of Phase 2?
Please let me know if you require any more info from me.
Thanks in advance.
-
Hi,
At my company we have two phase2. You can have as many phases 2 for each phase 1 you want
Regards.
-
In IKEv2 mode, all Phase 2 entries are meshed together unless the tunnel isolation mode is set.
So nicovell3 is right, just add multiple Phase 2 entries to your Phase 1 and that's it.
You cloud also make the netmask wider, but it may clash with your general network layout: 192.168.0.0/16.
Cheers,
Franco
-
Thanks for the replies chaps.
I have added multiple subnets to the Phase 2 but the issue i am facing is that none of them work apart from the subnet that the OpnSense servers are on.
Craig
-
Ok, So i have this working.
On the Phase 2 setup. The Local Network was set to LAN Net as per the documentation. What i have done is change this from LAN Net to Network and specified the LAN Subnet.
Example
Local Network
Type = Network
Address = 192.168.1.0/24
Remote Network
Type = Network
Address = 192.168.4.0/24
I can now see both networks from both sides.
Thanks again for your time to reply earlier.
-
Scrap the above message. I though this was working but its not.
-
Ok. So i am half way there. I can ping from one side of the Tunnel but not the other.
Site A
Ping 192.168.4.0 Reply Timed Out from 192.168.1.0
Site B
Ping 192.168.1.0 Reply Received from 192.168.4.0
Any ideas? I have checked the config on both OpnSense servers and they are the same. I must be missing something as the Tunnel is up and can ping from one site.
Any ideas?
-
Hi,
Maybe you aren't allowing some part of the traffic? You could place a tcpdump on each enc0 interface (this is the ipsec interface) and see if every packet is being routed through the tunnel.
Good luck!