Messages

Would really appreciate a set of instructions that actually work.  Why they would add a product and then documentation that fails to actually allow one to set it up is ridiculous! 

Again if you have a set of instructions on how to set up I would really appreciate it!  I have tried for 4 hours now and cannot access the internal network from the Wireguard client yet if I connect with wireguard to the Untangle firewall it works flawlessly and they even create the client config file for you.

I have spent 4 hours now trying to get this VPN solution to work and have rebuilt the firewall 5 times, reinstalled Wireguard just as many times, and gone through the tutorial, and every time the setup fails.  I am unable to pass any traffic to the internal networks.  One of the worst setups I have experienced so far with OpnSense.  I am hoping someone can provide a better tutorial that actually explains how to set this up as even after reading it a dozen times and walking through it and setting it up it fails to work.

I am trying to set up an IPSEC VPN tunnel between a OpnSense and a Unifi UDM-PRO.

On the OpnSense side it has the option to select a checkbox for Dynamic gateway but I can find no documentation on how to properly set this up.  Remote firewall does not have DynDNS and per information, I have found is not needed.

Is there any documentation on the proper setting for the P1 in OpnSense if the remote firewall supporting ipsec is using a dynamic ip?

Remote Gateway will not be correct because IP is dynamic.
Peer identifier is also an unknown so not sure what to choose.

You mean this?

https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html

I do not see any references to GRE or BGP

Regretfully some of my customers can only support IPSEC and also I have seen worse performance in OpenVPN over IPSEC.

Is there any documentation on how to do this or is it a figure it out on your own scenario?

Whenever I enable dual-WAN and have IPSEC configured over one of the WAN connections traffic for the IPSEC sops working.

In the documentation, there is a reference to the DNS rule that needs to be created but nothing about how to handle the IPSEC traffic to ensure it continues to work.

I tend to agree that deploying this on an OpnSense makes very little sense.  You can spin up a very inexpensive VPS in OVH for less than $10.00 a month and deploy the Unifi controller on it.  It will be far more reliable than on an OpnSense box.  If you are doing this at home then I might understand but for business, a cheap VPS is the way to go and allows for multi-tenant as I use with over 50 companies.

I would be really interested in finding someone that could develop a VPN failover control solution possibly as a plugin.

It does not make sense why this cannot be an easy solution.

What I envision is as follows:

The ability for 2 firewalls to communicate with each other over ssl/https to each other over a single or dual wan setup.

It will allow the sharing of information as to which WAN connections are up to allow each firewall to determine which IPSEC tunnel to disable or enable based on defined criteria.

For Example: 

Site A has a single Static WAN
Site B has 2 single static WAN in Failover

Both sites have 2 (P1 and P2) IPsec configurations so that VPN can work across all WAN interfaces.

Depending on which interface is up or down the 2 firewalls will communicate this info and based on the info will disable or enable the respective tunnel.  This can also be weighted so when a primary WAN comes back up it will fail the tunnel back over.

If I do not see any interest in this I will try my luck on upwork but it would be great to see if anyone else is interested and find someone to build this out as it is a feature that is available in pretty much every other firewall solution.

I don't understand why this cannot be a simple solution.

One of my situations:

Site A is in a Datacenter with a single redundant internet connection with static IP assigned to OpnSense.

Site B has 2 wan connections with static IP addresses.

I have 2 IPsec VPN configurations in both firewalls so that I can use VPN failover but I must manually disable and enable the connections but it works.

Why cant this be automated?  For example:

Site A: Pings both remote WAN interfaces.  If remote WAN1 stops responding it disabled the VPN to remote WAN1 and enables VPN to remote WAN2.

Site B: If WAN1 goes down it disables P1 and P2 VPN to Site A using WAN1 and enables P1 and P2 using WAN2

If WAN1 comes back online Site B can send a command to SiteA notifying it that WAN1 is back online and to disable its VPN to the WAN2 and enable VPN to WAN1.

You could even have a solution that communicates via ssl between the 2 firewalls using the gateway group so that the information transfer does not have to happen over the VPN tunnel.

I have configured 2 opnsense firewalls.

Is there some kind of rule I need to add or modify to allow location2 to pass traffic across IPSEC to location1?

Location1 can ping LAN at location2 but location 2 cannot ping LAn at location1

Location1: Single WAN with 2 vpn configurations for each remote IP. 
IPSECVPN to RemoteWAN1 to location2 is disabled.
IPSECVPN to RemoteWAN2 is up and connected.
I can ping remote lan subnet.


Location2 Dual WAN.  WAN1 is down and lWAN2 is up.

Using Gateway Group with both WAN1 and WAN2.  LAN default rule is set to GW Group

DNS record is placed above default group to allow DNS as described in documentation.

I am unable to ping devices in Location1 LAN

Anyone know if this is a bug or what?

Added correct photo

The Netflow system does not seem to be attaching templates to the data being sent.  See photo.  Updated photo.  See arrows.  They should have template info so the Data is not able to be properly ingested into a Netflow collector.

For example can I use this example in the photo for the location with Dual static?  The gateway group is set up as Comcast Primary and ATT Secondary as a failover group.  I can create an A record for both gateway IP so that they are both firewall.domain.com