Messages

Some more info: I found out, that when connecting to the 25.10 version, there is shown an entry in the overview, that I usually don´t see, especially not on the old community edition appliance. For me it seems, that the connection is somehow not matching anymore...

In the config I am using .local FQDNs as ID, because of the dynamic remote ip. Would it be better to use the IP for the HQ site where we have a static ip?

Hi there,

I´m currently trying to migrate our test OPNSense Installation with multiple IKEv2 VPNs running to our new hardware with OPNSense Business 25.10. I imported the configuration on the new hardware, and always when switching over to the new hardware with OPNSense business version, all of the tunnels are running fine, except one. This one tunnel is one where the remote site is with a dynamic ip adress. The tunnel will not connect at all. With the current active system on the HQ using Community Edition 25.7.7, I can get it running all the time. Sometimes, after switching back from the new hardware, it seems to be necessary to reset the tunnel on the remote site. I also updated the IPSec Client side from 25.1 to 26.1.1, but nothing changed.


What could be the reason for this? I´m not fully convinced by using IPSec for such a use case here, but it was more like we had to move from a static pub ip to ad natted (rotuer in front) network.


Any ideas, why this only connection has such an issue, after the migration? I think I exported the configuration from the 25.1.11 community version and imported it to the mentioned 25.10.  Could this be an issue?


After the import on the OPNSense business Edition I only changed some interface assignments and I also configured HA.



Are there recommendations to setup such a remote dynamic client?



Thanks.

Thanks for clarification. Another Question: I understand, that the business version is not limited to special hardware and can be installed on various systems like the community edition. Is that a correct assumption?

Hi there,

I´m wondering, how the Business Edition works in regards of the binding/association of that license. Can I easily switch the used hardware? Can I also rebuild a system with a fresh install without a backup? I didn´t found any documentation about this. Maybe somebody can help out.


Thanks.
Sebastian

Ich konnte das Problem lösen.

Zuerst einmal muss jede SA als Child einzeln eingetragen werden. In meinem Falle, da ich ein Source NAT Richtung Partner mache die Netze auf unserer Seite hinter einer NAT Adresse maskiert wird, musste ich hier für jede SA eine einzelne ReqID definieren. Jede dieser ReqIDs wiederum muss dann in der SPD für alle lokalen Netze eingetragen werden. Jetzt funktioniert alles wie gewünscht.


Ist aber leider sehr umständlich zu konfigurieren...

Du kannst mehrere Netze in ein Phase 2 Child schreiben oder mehrere mit je einem Netz anlegen.

Letzteres wäre dann wohl tunnel isolation.

Ok, verstehe. Das beantwortet zumindest schonmal eine Frage :)


Danke.

deleted.

Könnte das hier noch immer ein Thema sein? https://forum.opnsense.org/index.php?topic=30525.0

Vorher gab es die Option "tunnel isolation". Die gibt es ja scheinbar nicht mehr. Wie wird das denn jetzt gelöst?

Moin,

ich wollte neulich einen Tunnel von Lokal:192.168.55.0/24 auf Entfernt:10.0.0.0/8 auf Lokal:192.168.55.0/24 auf Entfernt:10.150.10.0/24,10.150.11.0/24,10.150.12.0/24 umstellen. D.h. in der Phase 2 anstatt eines großen Netzes mehrere kleine verwenden. Der Tunnel läuft mit dem /8 einwandfrei. Die Umstellung hat jedoch nicht geklappt, da sich immer nur eine der Phasen aufgebaut hat. Ich habe sowohl die Variante, alle entfernten /24 Netze in einer SA anzugeben, also auch mehrere SAs mit den einzelnen Netzen zu konfigurieren versucht. Es hat immer nur ein Netz funktioniert.

Die Gegenstelle ist eine Cisco ASA und ich verwende die 25.1.7_4.

Woran kann das liegen? Was kann ich hier noch machen um das Problem zu lösen? Hat OPNSense hier generell bekannte Einschränkungen?

Das Problem ähnelt wohl diesem hier:
https://www.reddit.com/r/OPNsenseFirewall/comments/lktgbx/issue_with_multiple_ikev2_sas/



Danke für jede Idee...

Hello all,

today I wanted to built up a tunnel in a similar scenario, where there are multiple Remote networks in one child SA. I also get only one SA with one of the Remote Networks established. What for a limitation is this? Is there a solution for this? Otherwise we will not be able to use OPNSense for our customers.... This is a common scenario that needs to work.


Any feedback appreciated!

I have some issues migrationg from Policy Based to route based vpn for a OPNsense S2S VPN (both systems are OPNsense). Actually the Tunnel builts up including Phase2. I can see 0.0.0.0/0 as local and remote identifier. After configuring everything according to the documentation (https://docs.opnsense.org/manual/vpnet.html#new-23-1-vpn-ipsec-connections) routing still does not work. Packetcaptures on vti interfaces on both firewalls shows nothing. I tried to ping the remote VTI adress, but nothing happens. The install policy checkfield was unchecked for sure on both sides.

Just FYI: In the swantctl.conf I did not find anything related to "if_id_in" or "if_id_out". The swantctl doc about VTI says, that this is important... (https://docs.strongswan.org/docs/latest/features/routeBasedVpn.html)


What is the best way troubleshooting this?


Thanks.

That´s another (maybe valid) question, but my question would also apply to any other similar setup... Like when you have 10.0.0.0/24 and 10.0.0.64/28....

Hi,

I´m starting with OPNSense these days and currently I´m playing with IPSec VPN Tunnels, NAT and Firewallrules. I was able to create a NAT before IPSec Config with using seperate SPD entries. In my case, Traffic from 192.168.55.0 to 10.0.0.0/8 needs to be nated behind e.g. 10.105.0.1.

Now I ran into an network overlap issue, when I created a second tunnel, where the remote network is a /8. The first tunnel is a /16. Both destination networks starting with the same number 10.x.x.x.

My internal real network is 192.168.55.0/24

My first tunnel is:
IPSec Local Net         IPSec Remote Net   
192.168.55.0/24         10.109.0.0/16


And the second one:
IPSec Local Net         IPSec Remote Net   
10.105.0.0/24         10.0.0.0/8


Now, when I activate the necessary SPD entry (Source 192.168.55.0, Destination 10.0.0.0/8) to allow the necessary SNAT to work, in that very moment after I restart tunnel2 all destinations in 10.109.0.0/16 are not reachable anymore.


It seems, that routing for destinations in 10.109.0.0/16 are not routed correctly anymore. In my case I try to access https://10.109.109.22 over the tunnel, but I suspect, that the request is being routed into the wrong tunnel. Can I use tcpdump on enc0 and capture the traffic to 10.109.109.22 and see in which tunnel the traffic is going to?


Any ideas to solve this issue without changing destination network from tunnel2? Normally I would expect, that the more exact routes will be used prior to less matching networks.


Any ideas/hints? I´ve some infos are missing, please let me know.



Thanks,
Sebastian