Show Posts
1
Virtual private networks / Re: IPSec: KeyID discrepancy between OPNsense & pfSense
« on: March 23, 2021, 05:43:42 am »
This is a timely post as I think it matches the issue I'm running into as well.
Does this patch solve the issue if we are using other ID types as well?
In my use case I'm migrating my pfSense firewalls to OPNSense and I've been running into issues getting the site to site tunnel established between my new OPNSense firewall and the old pfSense firewall at the remote location. It'll be a few months before I can get out to the other site to exchange firewalls so I was hoping to keep my IPSec tunnel alive in the mean time.
Instead of KeyID's I'm using dynamic and distinguished names.
In the pfsense config I see leftid = dns:vpn2.domain.com
rightid = fqdn:vpn1.domain.com
OPNSense shows leftid = <ipaddress of vpn1>
rightid = vpn2.domain.com
For both firewalls I'm using Dynamic DNS for "My Identifier" on the respective box and Distinguished Name for the "peer identifier"
So it seems like OPNSense configuration, "Dynamic DNS" resolves the IP address and inserts it into leftid, while pfsense marks it with the dns: prefix and the fqdn that will be resolved.
Meanwhile Distinguished name in pfSense gets the prefix fqdn followed by the fqdn.
Does this patch solve the issue if we are using other ID types as well?
In my use case I'm migrating my pfSense firewalls to OPNSense and I've been running into issues getting the site to site tunnel established between my new OPNSense firewall and the old pfSense firewall at the remote location. It'll be a few months before I can get out to the other site to exchange firewalls so I was hoping to keep my IPSec tunnel alive in the mean time.
Instead of KeyID's I'm using dynamic and distinguished names.
In the pfsense config I see leftid = dns:vpn2.domain.com
rightid = fqdn:vpn1.domain.com
OPNSense shows leftid = <ipaddress of vpn1>
rightid = vpn2.domain.com
For both firewalls I'm using Dynamic DNS for "My Identifier" on the respective box and Distinguished Name for the "peer identifier"
So it seems like OPNSense configuration, "Dynamic DNS" resolves the IP address and inserts it into leftid, while pfsense marks it with the dns: prefix and the fqdn that will be resolved.
Meanwhile Distinguished name in pfSense gets the prefix fqdn followed by the fqdn.