1
Virtual private networks / IPSec between OPNSense and EdgeRouter Infinity, no traffic from OPNSense side
« on: January 08, 2024, 05:08:17 pm »
Hi.
My company has servers at two colocation datacenters. We used to have EdgeRouter Infinities at both sites connected with VTI IPSec but I recently changed out one of the EdgeRouters with an OPNSense instance. I tried setting up an VTI IPSec connection between the still running EdgeRouter and the new OPNSense instance, but I haven't been able to get it usable.
The problem seems to the that the OPNSense gets traffic through the tunnel but doesn't send it to the ipsecN interface (and likewise, traffic from the inside network that should be routed to the other end of the IPSec tunnel doesn't enter the ipsecN interface).
The tunnel is up according to the VPN > IPSec > Status Overview page and I can see traffic arriving on the enc0 interface with tcpdump. However, tcpdump on the ipsec10 interface doesn't show any traffic.
I followed the guide at https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn-route.html to set up a new-style connection instead of the "legacy" style.
My home router is also an OPNSense instance and I've set up what I thought was an identical tunnel there without problems. Tcpdump show traffic on both the enc0 and ipsecN.
I'm not sure how to troubleshoot this; I've gone through the guide a few times to see if I can find any disrepancy, but I'm not an advanced enough user of OPNSense to know what to do next.
Any hints?
My company has servers at two colocation datacenters. We used to have EdgeRouter Infinities at both sites connected with VTI IPSec but I recently changed out one of the EdgeRouters with an OPNSense instance. I tried setting up an VTI IPSec connection between the still running EdgeRouter and the new OPNSense instance, but I haven't been able to get it usable.
The problem seems to the that the OPNSense gets traffic through the tunnel but doesn't send it to the ipsecN interface (and likewise, traffic from the inside network that should be routed to the other end of the IPSec tunnel doesn't enter the ipsecN interface).
The tunnel is up according to the VPN > IPSec > Status Overview page and I can see traffic arriving on the enc0 interface with tcpdump. However, tcpdump on the ipsec10 interface doesn't show any traffic.
I followed the guide at https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn-route.html to set up a new-style connection instead of the "legacy" style.
My home router is also an OPNSense instance and I've set up what I thought was an identical tunnel there without problems. Tcpdump show traffic on both the enc0 and ipsecN.
I'm not sure how to troubleshoot this; I've gone through the guide a few times to see if I can find any disrepancy, but I'm not an advanced enough user of OPNSense to know what to do next.
Any hints?