Messages

Hi,
not sure if this is the right place for documentation errata.
I was reading and testing the Documentation Example at https://docs.opnsense.org/manual/how-tos/sslvpn_instance_s2s.html and found a possible error here:

https://docs.opnsense.org/manual/how-tos/sslvpn_instance_s2s.html#trust
The Client Certificate must not set to be for server use, this will definitely not work:

Set Type to Server

Hope that helps,
j.

ok, forget about the last one , it's gettin more confusing to me  :-[
The Natt'ed tunnel in Question doesn't appear unter "Routed Connections" even if I bring it up manually.

Code Select Expand

Routed Connections:
        con5{30}:  ROUTED, TUNNEL, reqid 5
        con5{30}:   192.168.254.0/24 === 10.80.1.0/24
        con4{29}:  ROUTED, TUNNEL, reqid 2
        con4{29}:   192.168.254.0/24 === 10.1.10.0/23
        con3{28}:  ROUTED, TUNNEL, reqid 1
        con3{28}:   192.168.254.0/24 === 172.16.20.8/32
        con1{26}:  ROUTED, TUNNEL, reqid 4
        con1{26}:   192.168.254.0/24 === 192.168.10.0/24


Code Select Expand

       
Security Associations (5 up, 0 connecting):
...snip...
        con2[164]: ESTABLISHED 40 seconds ago, mygateway...remotegateway
        con2{70}:  INSTALLED, TUNNEL, reqid 8, ESP SPIs: c2c93be5_i 1fae9593_o
        con2{70}:   193.186.104.36/30 === 172.27.24.0/24
...snip...


193.186.104.36 is the IP Adress I got from remote side to use, 172.27.24.0/24 is the remote LAN.
To me it looks like no route for the remote net is installed.
???

seems a bit different here :

Code Select Expand


con3{28}:  ROUTED, TUNNEL, reqid 1
con3{28}:   192.168.254.0/24 === 172.16.20.8/32


and

Code Select Expand


root@OPNsense:~ # pfctl -s state | grep 193.186.104
all tcp 193.186.104.36:52813 (192.168.254.69:61546) -> 172.27.24.129:3389       ESTABLISHED:ESTABLISHED


Already found the "Additional SPF" Setting.
For the ping method I am not sure how this could work.
By using the "single address" as Source, these Packets even will not be able reach the gateway's LAN Interface which has an ip from "Local Network":

Code Select Expand

# traceroute -n -s "single address" "IP in Remote Net"
traceroute to "IP in Remote Net", 30 hops max, 60 byte packets
1  * * *
2  * * *
3  * * *
4  * * *


Am I missing something?
Thank you,
juergen

[I have to SNAT my Network to a single address provided by the remote side]

Hi,
I have a VPN to a Customers Network which is basically working as expected, but it it won't come up on traffic. Even with the "Start immediately" Switch set the Connection starts, but it disconnecs at some point when idle and the only way to bring it up is to connect manually.
Situation:
- Tunnel IP4 VPN
- no control over the remote side
- no problem in IPsec Configuration
- only one direction - outgoing
- I have to SNAT my Network  to a single address provided by the remote side. This is most likely the Showstopper, but I don't have an Idea on how to workaround.

Any suggestions?
Thanks,
juergen