Messages

1

General Discussion / Re: Avoid Traffic between IPSec Tunnel

« on: December 14, 2019, 08:15:15 am »

I know that the Design of the VPN Network is not ideal, but on the other side there are plenty FritzBox Devices which are a paint to configure for vpn.
I can not use multiple phase2 SA for example. And my last test with two separate VPN to the same remote Site but different Phase2 IP networks did not work either

So my only option is to put the whole 10.0.0.0/8 in the Tunnel definition.
On Cisco ASA there is a Option to avoid or allow Traffic returning to the same Interface. Forcing packets to travel through the firewall and routing to a different interface.
I don't know if this is possible with opnsense too.

If a have to implement firewall rules to avoid the traffic between the vpn sites. Where do I have to put them? On Interface IPSec? Or on WAN? Or are these floating Rules?
And how will the performance be impacted with the number of rules counting up?
Even when using Aliases I will have to put around 400 Lines for 200 tunnel and we are still growing with around 600 tunnel in the end.
And we have another project in mind where we would need much more tunnel (will be another opnsense btw)

2

General Discussion / Re: Avoid Traffic between IPSec Tunnel

« on: November 28, 2019, 09:12:19 am »

i thougt there was an easier way... Adding 600+ Rules is not the work i wanted to do 

where do i implement those rules? On Interface IPSec oder LAN?

3

19.7 Legacy Series / Re: Traffic between internal networks

« on: November 21, 2019, 02:04:35 pm »

why do you connect every machine with both networks and try to route everything through your Firewall?
This mixes direct connected networks with routed networking. This puts asynchronous connections in place and makes your complete setup unnessecarily complex/complicated?
and pointing default gateway over 1gbe seems very odd and limiting your throughput

try to cleanup your network design!

4

General Discussion / Avoid Traffic between IPSec Tunnel

« on: November 21, 2019, 01:51:47 pm »

is there a simple way to avoid traffic between S2S-tunnel?

we have a bunch of tunnel all connecting to a central site
VPN Setup ist always like this:

remote Site: 10.32.X.0/24
central Site: 10.0.0.0/8

this is needed because we have several non-continous Networks used in central site like 10.1.0.0/22 and 10.99.0.0/16 or similar

Now i need to restrict traffic only from remote site to central site and not between two remote sites.

5

General Discussion / Re: Problem with multiple VPN-Peer rightpeer: %any

« on: August 21, 2019, 01:47:04 pm »

Just use IKEv2, works like a charm

That would be great, but AVM Fritzbox does not support IKEv2 

Any other hint?

6

General Discussion / Problem with multiple VPN-Peer rightpeer: %any

« on: August 19, 2019, 02:46:52 pm »

I've setup a central opnsense appliance to host some (~600) VPN connections.
I need to use %any as Peer IP and to use rightid with distinguisher to assign the correct Config. I have no option to use something like dyndns to resolve peer ip's.

The problem comes when i define more than one tunnel with peer ip %any. When the second peer connects OPNSense does not use the right PSK, but only the PSK from the first defined Connection.
Weird, because the PSK is attached to the DN in ipsec.secrets.

Is this a bug? I'm using actual version OPNsense 19.7.2-amd64