OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: David Fowler on March 26, 2018, 11:43:11 am
-
I've been trying to get a VPN up and running between my site and a customer, with very little success. The phase 1 side is fine, as we're getting some level of connectivity. The issue lies with the five phase 2 entries. Put simply, I have yet to get more than one tunnel active at any time. If it's possible to connect to one remote endpoint, it's not possible to connect to any others.
There's an additional complication, which is outbound NAT. This is achieved using one-to-one NAT settings, plus a manual SPD entry in the phase 2 settings. So, a PC on 172.x.x.1 connects to the remote site as 10.x.x.9. I can see in the logs that all attempted communication is using the correct address, but only one remote address is contactable. A trace route to the working address looks just as it should; to any of the others it stops at the firewall, so it looks as if the device simply doesn't know where to send it.
Right now I'm at the point of changing the IP range of our network (it's a one-PC subnet and not part of our main network) to match the value required for outbound NAT, and then drop the NAT and SPD entries on the OPNsense. I'm sure I shouldn't have to be doing this, but I need to get it working.
But it did occur to me that someone else may have seen this or a very similar problem, hence the post on here. All assistance very gratefully received!
-
Hi David,
Is this a Fortigate on the other end? Use IKEv2 and "Tunnel Isolation".
Cheers,
Franco
-
Hi Franco,
Not entirely sure what's on the other end to be honest. Eventually I lost patience and changed the local IP subnet to match what was required by the remote networks - as there's only a virtual PC and the OPNsense on the subnet it wasn't too big a task!
Cheers,
David
-
Ok, that works too. :)
Cheers,
Franco