Messages

Du kannst mehrere Netze in ein Phase 2 Child schreiben oder mehrere mit je einem Netz anlegen.

Letzteres wäre dann wohl tunnel isolation.

Ok, verstehe. Das beantwortet zumindest schonmal eine Frage :)


Danke.

deleted.

Könnte das hier noch immer ein Thema sein? https://forum.opnsense.org/index.php?topic=30525.0

Vorher gab es die Option "tunnel isolation". Die gibt es ja scheinbar nicht mehr. Wie wird das denn jetzt gelöst?

Moin,

ich wollte neulich einen Tunnel von Lokal:192.168.55.0/24 auf Entfernt:10.0.0.0/8 auf Lokal:192.168.55.0/24 auf Entfernt:10.150.10.0/24,10.150.11.0/24,10.150.12.0/24 umstellen. D.h. in der Phase 2 anstatt eines großen Netzes mehrere kleine verwenden. Der Tunnel läuft mit dem /8 einwandfrei. Die Umstellung hat jedoch nicht geklappt, da sich immer nur eine der Phasen aufgebaut hat. Ich habe sowohl die Variante, alle entfernten /24 Netze in einer SA anzugeben, also auch mehrere SAs mit den einzelnen Netzen zu konfigurieren versucht. Es hat immer nur ein Netz funktioniert.

Die Gegenstelle ist eine Cisco ASA und ich verwende die 25.1.7_4.

Woran kann das liegen? Was kann ich hier noch machen um das Problem zu lösen? Hat OPNSense hier generell bekannte Einschränkungen?

Das Problem ähnelt wohl diesem hier:
https://www.reddit.com/r/OPNsenseFirewall/comments/lktgbx/issue_with_multiple_ikev2_sas/



Danke für jede Idee...

Hello all,

today I wanted to built up a tunnel in a similar scenario, where there are multiple Remote networks in one child SA. I also get only one SA with one of the Remote Networks established. What for a limitation is this? Is there a solution for this? Otherwise we will not be able to use OPNSense for our customers.... This is a common scenario that needs to work.


Any feedback appreciated!

I have some issues migrationg from Policy Based to route based vpn for a OPNsense S2S VPN (both systems are OPNsense). Actually the Tunnel builts up including Phase2. I can see 0.0.0.0/0 as local and remote identifier. After configuring everything according to the documentation (https://docs.opnsense.org/manual/vpnet.html#new-23-1-vpn-ipsec-connections) routing still does not work. Packetcaptures on vti interfaces on both firewalls shows nothing. I tried to ping the remote VTI adress, but nothing happens. The install policy checkfield was unchecked for sure on both sides.

Just FYI: In the swantctl.conf I did not find anything related to "if_id_in" or "if_id_out". The swantctl doc about VTI says, that this is important... (https://docs.strongswan.org/docs/latest/features/routeBasedVpn.html)


What is the best way troubleshooting this?


Thanks.

That´s another (maybe valid) question, but my question would also apply to any other similar setup... Like when you have 10.0.0.0/24 and 10.0.0.64/28....

Hi,

I´m starting with OPNSense these days and currently I´m playing with IPSec VPN Tunnels, NAT and Firewallrules. I was able to create a NAT before IPSec Config with using seperate SPD entries. In my case, Traffic from 192.168.55.0 to 10.0.0.0/8 needs to be nated behind e.g. 10.105.0.1.

Now I ran into an network overlap issue, when I created a second tunnel, where the remote network is a /8. The first tunnel is a /16. Both destination networks starting with the same number 10.x.x.x.

My internal real network is 192.168.55.0/24

My first tunnel is:
IPSec Local Net         IPSec Remote Net   
192.168.55.0/24         10.109.0.0/16


And the second one:
IPSec Local Net         IPSec Remote Net   
10.105.0.0/24         10.0.0.0/8


Now, when I activate the necessary SPD entry (Source 192.168.55.0, Destination 10.0.0.0/8) to allow the necessary SNAT to work, in that very moment after I restart tunnel2 all destinations in 10.109.0.0/16 are not reachable anymore.


It seems, that routing for destinations in 10.109.0.0/16 are not routed correctly anymore. In my case I try to access https://10.109.109.22 over the tunnel, but I suspect, that the request is being routed into the wrong tunnel. Can I use tcpdump on enc0 and capture the traffic to 10.109.109.22 and see in which tunnel the traffic is going to?


Any ideas to solve this issue without changing destination network from tunnel2? Normally I would expect, that the more exact routes will be used prior to less matching networks.


Any ideas/hints? I´ve some infos are missing, please let me know.



Thanks,
Sebastian