Messages

1

19.1 Legacy Series / Re: Getting opnSense to route over IPSec tunnel

« on: July 30, 2019, 05:03:40 am »

Any further suggestions?

As an interim (hopefully), dirty hack I've spun up a VM at each end that sits on the "LAN" segment and uses unbound to steer requests for the internal domain of the other location to the opposite end's DNS then added overrides on the gateways at each end to tell them to ask that Unbound for those domains, which works but it's a bit of a kludge.

i.e. gateway 192.168.1.1 has override for <other end internal domain> to 192.168.1.3 which runs unbound and forwards queries for that domain to 192.168.30.1 (gateway/DNS at the other end) and vice-versa.

Thanks

2

19.1 Legacy Series / Re: Getting opnSense to route over IPSec tunnel

« on: July 23, 2019, 02:17:22 pm »

Not entirely clear on what you're after, I've attached a screen grab of a tcpdump session attempting to traceroute to the DNS on the other site.

tcpdump was running on the WAN interface filtered using "host 192.168.1.1" (the remote gateway's IP address).

the .209 address is my nexthop (default gateway configured on the opnSense box)

3

19.1 Legacy Series / Re: Getting opnSense to route over IPSec tunnel

« on: July 23, 2019, 07:15:26 am »

Didn't notice the "expand" button when I was looking at the status overview, here's the expanded version.

4

19.1 Legacy Series / Re: Getting opnSense to route over IPSec tunnel

« on: July 23, 2019, 07:12:45 am »

Not sure how to embed attached images inline in a post on this forum.

I've attached sanitised screenshots of;
- IPSec Status Overview
- IPSec Tunnel Settings
- IPSec Security Association Database
- IPSec Security Policy Database

5

19.1 Legacy Series / Re: Getting opnSense to route over IPSec tunnel

« on: July 23, 2019, 02:08:30 am »

Not familiar with that setting and can't find it.

Unless you are asking if I've got a gateway defined in any of my firewall rules? If that's the case then the answer is no.

6

19.1 Legacy Series / Re: Getting opnSense to route over IPSec tunnel

« on: July 20, 2019, 04:27:03 am »

OK, I created a new phase 2 on this site with;
Local Subnet = Local WAN address
Remote Subnet = Remote LAN network

And a matching Phase 2 at the other end (local and remote reversed of course), restarted IPSec on both ends.

Still trying to route 192.168.1.1 out the default gateway...

Also tried using "WAN Subnet" for local, and just the remote gateway IP for Remote (because the local gateway only really needs to be able to connect to that one box).

I can see all the requisite entries in the Security Policy Database, so I'm not sure what's going on :/

7

19.1 Legacy Series / Re: Getting opnSense to route over IPSec tunnel

« on: July 19, 2019, 03:10:23 pm »

Install Policy is checked in my Phase 1 config.

From any host (except the gateway) on site A's network I can ping and connect to any host on site B without issue (by IP address obviously since name resolution doesn't work due to this issue).

e.g.
Site A gateway -> Any host (including gateway) on site B: Unable to connect (attempts to route to Site B's network via default gateway on WAN interface).
Any host (except gateway) on site A -> Any host on site B: Connects without issue.
Same is true in the reverse direction.

Basically the opnSense box is trying to route a connection to 192.168.1.1 out over the public internet rather than via the IPSec tunnel.

8

19.1 Legacy Series / Getting opnSense to route over IPSec tunnel

« on: July 19, 2019, 03:23:10 am »

Hi All,

         Hopefully an easy one, I've got an IPSec tunnel connecting two sites, that side of things is working, but there's one niggle.

There's an internal domain setup at each site, and for queries to site A's internal domain I want to direct unbound on opnSense at Site B to query site A's DNS and vice-versa, the overrides are set up and working but there's an issue.

The issue is that although all the hosts on the LAN net can see all the hosts on the remote net (and vice versa) the gateway itself tries to route traffic bound to the other site via its default gateway rather than through the IPSec tunnel.

I've tried some tweaks around routing/gateways but nothing seems to convince it to route out over the IPSec tunnel for that network.

If anybody can give me some pointers I'd appreciate it.

Thanks,

-A