OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: WallaceTechUK on September 19, 2017, 11:46:19 am

Title: IPSEC Site to Site VPN
Post by: WallaceTechUK on September 19, 2017, 11:46:19 am

Hi Guys.

Hope someone can push me in the right direction. I have two OpenSense servers at two separate locations. for example i have

Site A
Subnet 192.168.1.0
Subnet 192.168.2.0
Subnet 192.168.3.0

Site B
Subnet 192.168.4.0
Subnet 192.168.5.0
Subnet 192.168.6.0

Now i have followed the example in the Wiki see. https://wiki.opnsense.org/manual/how-tos/ipsec-s2s.html?highlight=vpn

I can start the VPN and i can pass traffic from 192.168.1.0 to 192.168.4.0 back and forth. Is there something i am missing to allow multiple subnets to be used as part of Phase 2?

Please let me know if you require any more info from me.

Thanks in advance.

Title: Re: IPSEC Site to Site VPN
Post by: nicovell3 on September 19, 2017, 12:19:47 pm

Hi,

At my company we have two phase2. You can have as many phases 2 for each phase 1 you want

Regards.

Title: Re: IPSEC Site to Site VPN
Post by: franco on September 19, 2017, 12:49:05 pm

In IKEv2 mode, all Phase 2 entries are meshed together unless the tunnel isolation mode is set.

So nicovell3 is right, just add multiple Phase 2 entries to your Phase 1 and that's it.

You cloud also make the netmask wider, but it may clash with your general network layout: 192.168.0.0/16.


Cheers,
Franco

Title: Re: IPSEC Site to Site VPN
Post by: WallaceTechUK on September 19, 2017, 01:44:27 pm

Thanks for the replies chaps.

I have added multiple subnets to the Phase 2 but the issue i am facing is that none of them work apart from the subnet that the OpnSense servers are on.

Craig

Title: Re: IPSEC Site to Site VPN
Post by: WallaceTechUK on September 19, 2017, 04:47:41 pm

Ok, So i have this working.

On the Phase 2 setup. The Local Network was set to LAN Net as per the documentation. What i have done is change this from LAN Net to Network and specified the LAN Subnet.

Example

Local Network
Type = Network
Address = 192.168.1.0/24

Remote Network
Type = Network
Address = 192.168.4.0/24

I can now see both networks from both sides.

Thanks again for your time to reply earlier.

Title: Re: IPSEC Site to Site VPN
Post by: WallaceTechUK on September 19, 2017, 05:28:52 pm

Scrap the above message. I though this was working but its not.

Title: Re: IPSEC Site to Site VPN
Post by: WallaceTechUK on September 19, 2017, 05:57:03 pm

Ok. So i am half way there. I can ping from one side of the Tunnel but not the other.

Site A

Ping 192.168.4.0 Reply Timed Out from 192.168.1.0

Site B

Ping 192.168.1.0 Reply Received from 192.168.4.0

Any ideas? I have checked the config on both OpnSense servers and they are the same. I must be missing something as the Tunnel is up and can ping from one site.

Any ideas?

Title: Re: IPSEC Site to Site VPN
Post by: nicovell3 on September 19, 2017, 06:19:34 pm

Hi,

Maybe you aren't allowing some part of the traffic? You could place a tcpdump on each enc0 interface (this is the ipsec interface) and see if every packet is being routed through the tunnel.

Good luck!