1
16.7 Legacy Series / Routing internet traffic through a site-to-site IPsec tunnel
« on: September 04, 2016, 04:22:56 pm »
Hi,
This is my setup, both sites are using OPNsense:
Site A
ADSL dynamic IPv4 WAN which is also a gateway to 2 LANs - LAN A(192.168.1.0/24) + LAN B(192.168.2.0/24)
Site B
Static public IPv4 + global IPv6. 2nd NIC connects a 10.x LAN but this machine does no NAT for its LAN.
As suggested by the howto doc linked below, it does do outbound NAT for Site A's LAN A+B.
I wish to tunnel all Internet traffic from both LAN subnets at Site A via Site B.
I've used https://goo.gl/0YriHL as a reference and it works using IKEv1 PSK.
My issue is that all inter-LAN access at Site A is lost when the tunnel goes up.
Machines in LAN A cannot ping or access machines in the same LAN. Same for LAN B.
While none of the LAN machines can ping each other, all traffic is correctly sent out via Site B.
These are the NAT rules at Site A.
A diff before and after the tunnel is established shows no change in them.
The rather large diff between firewall rules (pfctl -sr) before and after the tunnel is established is at https://dl.dropboxusercontent.com/u/314525/rules.diff
This is my setup, both sites are using OPNsense:
Site A
ADSL dynamic IPv4 WAN which is also a gateway to 2 LANs - LAN A(192.168.1.0/24) + LAN B(192.168.2.0/24)
Site B
Static public IPv4 + global IPv6. 2nd NIC connects a 10.x LAN but this machine does no NAT for its LAN.
As suggested by the howto doc linked below, it does do outbound NAT for Site A's LAN A+B.
I wish to tunnel all Internet traffic from both LAN subnets at Site A via Site B.
I've used https://goo.gl/0YriHL as a reference and it works using IKEv1 PSK.
My issue is that all inter-LAN access at Site A is lost when the tunnel goes up.
Machines in LAN A cannot ping or access machines in the same LAN. Same for LAN B.
While none of the LAN machines can ping each other, all traffic is correctly sent out via Site B.
These are the NAT rules at Site A.
A diff before and after the tunnel is established shows no change in them.
Quote
# pfctl -sn
no nat proto carp all
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on pppoe0 inet from 127.0.0.0/8 to any port = isakmp -> 182.70.11.137 static-port
nat on pppoe0 inet from 192.168.1.0/24 to any port = isakmp -> 182.70.11.137 static-port
nat on pppoe0 inet from 192.168.2.0/24 to any port = isakmp -> 182.70.11.137 static-port
nat on pppoe0 inet from 127.0.0.0/8 to any -> 182.70.11.137 port 1024:65535
nat on pppoe0 inet from 192.168.1.0/24 to any -> 182.70.11.137 port 1024:65535
nat on pppoe0 inet from 192.168.2.0/24 to any -> 182.70.11.137 port 1024:65535
no rdr proto carp all
rdr-anchor "relayd/*" all
no rdr on igb0 proto tcp from any to (igb0) port = http
no rdr on igb0 proto tcp from any to (igb0) port = ssh
rdr-anchor "miniupnpd" all
The rather large diff between firewall rules (pfctl -sr) before and after the tunnel is established is at https://dl.dropboxusercontent.com/u/314525/rules.diff
- Where do I start to troubleshoot this?
- Is there any documentation to migrating this setup from IKEv1 PSK to IKEv2 RSA pubkey?