Messages

Hi,

I have IPsec VPN configured both for a site to site tunnel, and for road warriors (at both sites)

However, since the "IPsec Tunnel Settings" will be deprecated soon, I was trying to migrate to the new "IPsec Connections".

This is working fine for the site to site tunnel, but I can't get it to work for the road warriors.

Does anyone have a working setup for me to use VPN from an iPhone's standard IPsec VPN? (without an additional app), that uses the new "IPsec Connections" instead of "IPsec Tunnel Settings"?

Thanks!

I tried to switch to the new "connections" instead of "tunnels", but unfortunately I couldn't get it to work.  I am using "mutual RSA" with the "tunnels", but somehow I couldn't use that for "connections" (it does work with Mutual PSK though, but I prefer Mutual RSA).

Anyway, I had the Firewall->Rules->IPsec set as * as a test - but still failed.  Need to search a bit more :-(

Thanks.

This is totally wrong
so you need to set the GW over the IPsec.

I am sorry that it is totally wrong.  I am new here, and just looking for help.
Like I wrote in the previous post, I can only choose LAN or WAN as the interface in the gateway.  Which one should it be then?  There is a Misconfigured Gateway IP error when I choose LAN.

So you opted for PBR but,
You applied this GW only to the rule? Do you have a route back on Site B to route thru IPsec tunnel to Site A? Can you ping Site B from Site A over IPSEC?

I didn't really opt to use policy based routing, I am just a beginner trying to find whatever method I can get to work :-)
Yes, there is a route back from site B to site A.  Like I wrote in my original post, all devices from both sites can reach all devices.

Also by using this you are forcing any traffic over the GW, meaning as well destination for Private Subnets. If you want to only route Internet over IPsec, create and alias containing RFC 1918 and use it as Inverse destination for the Rule.

Yes, that is a good point.  I will looked into that once I got it working for all traffic.

Can you give a suggestion what to correct?  Thanks.

The interface for your OPNsenseB gateway should be your VPN, not WAN.

For the interface, I can only choose WAN or LAN, there is no VPN interface.  And if I choose LAN, then it says "Misconfigured Gateway IP".  If I choose WAN then there is no error.

Also you do not want to do outbound NAT at site A for this - you'd have to do it at site B to use the correct internet-routable address (belonging to site B). You'll need to configure outbound NAT at site B to cover 10.10.0.0/16 (or at least 10.10.0.100/32) too.

Isn't that what I did with:
Site B: Firewall/NAT/Outbound: interface=WAN, source=10.10.0.100/32, source+dest+dest port=*
?

Site A: 10.10.0.0/16, gateway=10.10.0.254
Site B: 10.20.0.0/16, gateway=10.20.0.254

I have an IPsec tunnel setup between two sites that is working well.  Both sites can go online via their own Internet connection, and I can reach all devices from both sites.

Now for one device (10.10.0.100) on site A I would like to route the traffic over de IPsec tunnel and go to the Internet via site B.

I added these lines:

Site A: System/Gateways/Configuration: name=OPNsenseB, int=WAN,gateway=10.20.0.254
Site A: Firewall/rules/LAN: source=10.10.0.100, prt+dest+dest port=*, gateway=10.20.0.254 (as the first line)
Site B: Firewall/NAT/Outbound: interface=WAN, source=10.10.0.100/32, source+dest+dest port=*

However, this does not work.  Traffic from 10.10.0.100 still goes outside via site A's WAN (!)  If I change the firewall rule for 10.10.0.100 to block instead of pass then 10.10.0.100 has no connectivity anymore - so that line is really used.

What am I doing wrong?  Thanks!