Show Posts
1
Virtual private networks / Assistance with OPNsense IPSec VPN Site-to-Site Configuration
« on: August 07, 2024, 08:01:01 am »
Hi Everyone,
This is my first time using OPNsense, and I am currently setting up an IPSec VPN Site-to-Site connection. Unfortunately, I'm encountering an issue where the peers are not connecting. The error message is as follows:
```
13[IKE] <con1|6> sending retransmit 1 of request message ID 0, seq 1
13[NET] <con1|6> sending packet: from 192.168.20.2[500] to 211.XXX.XXX.XXX[500] (180 bytes)
13[ENC] <con1|6> generating ID_PROT request 0 [ SA V V V V V ]
13[IKE] <con1|6> initiating Main Mode IKE_SA con1[6] to 211.XXX.XXX.XXX
```
I have followed this documentation for this configuration. This is the link: https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html
The HQ and Branch are using different ISPs. I have verified with both providers that there is no port blocking on their end. I've successfully traced and pinged each side, and ICMP is allowed on the WAN interface.
HQ - OPNsense 23.10.2-amd64
FreeBSD 13.2-RELEASE-p7
OpenSSL 1.1.1w
Branch - OPNsense 24.4.1_3-amd64
FreeBSD 13.2-RELEASE-p12
OpenSSL 3.0.14
**Network Configuration:**
- **Branch**
- Public IP: 180.XXX.XXX.XXX
- DMZ: 192.168.20.1
- WAN Interface (OPNsense): 192.168.20.2
- LAN: 192.168.30.1
- **HQ**
- Public IP: 211.XXX.XXX.XXX
- DMZ: 192.168.0.1
- WAN Interface (OPNsense): 192.168.0.2
- LAN: 192.168.1.1
**Firewall Rules Configured:**
- Allowed on WAN for both sides:
- IPv4 ESP
- IPv4 ISAKMP (500)
- IPv4 NAT-T (4500)
I have also configured port forwarding for ESP, ISAKMP, and NAT-T under **Firewall > NAT > Port Forward**. However, when using external tools like canyouseeme.org, ports 500 and 4500 appear to be closed.
I'm seeking advice on whether there are any steps I might have overlooked or misconfigured. Any insights or suggestions from the community would be greatly appreciated.
Thank you.
This is my first time using OPNsense, and I am currently setting up an IPSec VPN Site-to-Site connection. Unfortunately, I'm encountering an issue where the peers are not connecting. The error message is as follows:
```
13[IKE] <con1|6> sending retransmit 1 of request message ID 0, seq 1
13[NET] <con1|6> sending packet: from 192.168.20.2[500] to 211.XXX.XXX.XXX[500] (180 bytes)
13[ENC] <con1|6> generating ID_PROT request 0 [ SA V V V V V ]
13[IKE] <con1|6> initiating Main Mode IKE_SA con1[6] to 211.XXX.XXX.XXX
```
I have followed this documentation for this configuration. This is the link: https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html
The HQ and Branch are using different ISPs. I have verified with both providers that there is no port blocking on their end. I've successfully traced and pinged each side, and ICMP is allowed on the WAN interface.
HQ - OPNsense 23.10.2-amd64
FreeBSD 13.2-RELEASE-p7
OpenSSL 1.1.1w
Branch - OPNsense 24.4.1_3-amd64
FreeBSD 13.2-RELEASE-p12
OpenSSL 3.0.14
**Network Configuration:**
- **Branch**
- Public IP: 180.XXX.XXX.XXX
- DMZ: 192.168.20.1
- WAN Interface (OPNsense): 192.168.20.2
- LAN: 192.168.30.1
- **HQ**
- Public IP: 211.XXX.XXX.XXX
- DMZ: 192.168.0.1
- WAN Interface (OPNsense): 192.168.0.2
- LAN: 192.168.1.1
**Firewall Rules Configured:**
- Allowed on WAN for both sides:
- IPv4 ESP
- IPv4 ISAKMP (500)
- IPv4 NAT-T (4500)
I have also configured port forwarding for ESP, ISAKMP, and NAT-T under **Firewall > NAT > Port Forward**. However, when using external tools like canyouseeme.org, ports 500 and 4500 appear to be closed.
I'm seeking advice on whether there are any steps I might have overlooked or misconfigured. Any insights or suggestions from the community would be greatly appreciated.
Thank you.