1
General Discussion / How to route networks accross site-to-site IPsec-VPN tunnel ?
« on: February 08, 2019, 08:07:55 am »
Hi All, I am trying to route b/w two sites over the VPN in the following scenario.
10.10.11.0/24 ----[Opnsense A]<---ipsec vpn --->[Opnsense B]---172.16.1.0/24---[Router] --- Network [ 10.10.12.0/24, 10.10.13.0/24 ... ]
From 10.10.11.0/24 I can reach 172.x.x.x however I cant reach 10.10.12.0/24,10.10.13.0/24 etc networks.
I created a gateway 172.16.1.1 (opnsense B Lan IP). Tried both int LAN/WAN and put in a static route in Opnsense A pointing 10.0.0.0/8 to 172.16.1.1.
When I start a ping from 10.10.11.2 I get the following from Opnsense A. Looks like it sees 172.16.1.1 as a LAN network and is doing ICMP re-direct.
PING 10.10.12.1 (10.10.12.1): 56 data bytes
36 bytes from 10.10.11.2: Redirect Host(New addr: 172.16.1.1)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 f0ae 0 0000 40 01 6f33 10.10.11.2 10.10.12.1
I guess there is something broken with my route. Using farside host as the next hop does not seem to be working.
How do I specify a route with ip-sec tunnel as the next hop ??.
Your input is much appreciated.
Thx
10.10.11.0/24 ----[Opnsense A]<---ipsec vpn --->[Opnsense B]---172.16.1.0/24---[Router] --- Network [ 10.10.12.0/24, 10.10.13.0/24 ... ]
From 10.10.11.0/24 I can reach 172.x.x.x however I cant reach 10.10.12.0/24,10.10.13.0/24 etc networks.
I created a gateway 172.16.1.1 (opnsense B Lan IP). Tried both int LAN/WAN and put in a static route in Opnsense A pointing 10.0.0.0/8 to 172.16.1.1.
When I start a ping from 10.10.11.2 I get the following from Opnsense A. Looks like it sees 172.16.1.1 as a LAN network and is doing ICMP re-direct.
PING 10.10.12.1 (10.10.12.1): 56 data bytes
36 bytes from 10.10.11.2: Redirect Host(New addr: 172.16.1.1)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 f0ae 0 0000 40 01 6f33 10.10.11.2 10.10.12.1
I guess there is something broken with my route. Using farside host as the next hop does not seem to be working.
How do I specify a route with ip-sec tunnel as the next hop ??.
Your input is much appreciated.
Thx