1
18.7 Legacy Series / Access ipsec remote hosts from firewall
« on: October 19, 2018, 11:49:48 am »
I've setup an IPsec tunnel between OPNSense and a remote Watchguard box. After some initial configuration woes i believe it's working correctly now.
I have three LAN subnets on the OPNSense box. The IPsec tunnel connects one of the subnets (192.168.142.0/24) to a remote network (10.1.0.0/16). In the firewall settings, I've grouped 'trusted' devices (all LANs + IPsec) and created a rule that allows traffic if source is 'trusted'. This allows devices on any of the LANs to reach each-other and the LAN that is part of the tunnel can reach hosts on the other end. Eventually all LANs will be using the tunnel but i'm currently just in testing stage.
I can't yet access hosts on the OPNSense side of the tunnel, from the other end. Example: from my machine I can ssh to a remote node via the tunnel but can't ssh back into my machine from that host. This could well be a firewall issue on the remote side (which i don't control). Or would it require something on my side? As a test i created a rule that allows any traffic if source is ipsec, which didn't make a difference.
The more immediate issue is accessing hosts on the other end, from the OPNSense box itself. I need this specifically to forward DNS requests for a certain domain to a remote DNS server. I will likely also add monitoring of remote hosts to monit on OPNsense box in the future. I've read some posts about issues in the freeBSD kernel related to routing IPsec traffic. But it's unclear to me if i'm affected by this, if there's some config mistake on my end or an additional (manual) route / fw rule is required. Note i don't really need to access the remote IPsec endpoint itself, but hosts in the remote network.
When I run 'ping -S [lan-ip] [remote-ip]' i do reach remote hosts. But without the '-S [lan-ip]' it doesn't work. I can't bind unbound to a single LAN interface since it also needs to answer requests for the other LANs. Should i create a static route? "System > Routes > Status" shows a route is in place for the remote network on the WAN interface. But when i run 'route -v show [remote-ip]' it appears to goes out directly via the default (isp) gateway with no mention of enc0 or ipsec which seems fishy but maybe normal?
Please bear in mind i'm new to OPNsense (a rookie mistake is quite possible / likely).
I have three LAN subnets on the OPNSense box. The IPsec tunnel connects one of the subnets (192.168.142.0/24) to a remote network (10.1.0.0/16). In the firewall settings, I've grouped 'trusted' devices (all LANs + IPsec) and created a rule that allows traffic if source is 'trusted'. This allows devices on any of the LANs to reach each-other and the LAN that is part of the tunnel can reach hosts on the other end. Eventually all LANs will be using the tunnel but i'm currently just in testing stage.
I can't yet access hosts on the OPNSense side of the tunnel, from the other end. Example: from my machine I can ssh to a remote node via the tunnel but can't ssh back into my machine from that host. This could well be a firewall issue on the remote side (which i don't control). Or would it require something on my side? As a test i created a rule that allows any traffic if source is ipsec, which didn't make a difference.
The more immediate issue is accessing hosts on the other end, from the OPNSense box itself. I need this specifically to forward DNS requests for a certain domain to a remote DNS server. I will likely also add monitoring of remote hosts to monit on OPNsense box in the future. I've read some posts about issues in the freeBSD kernel related to routing IPsec traffic. But it's unclear to me if i'm affected by this, if there's some config mistake on my end or an additional (manual) route / fw rule is required. Note i don't really need to access the remote IPsec endpoint itself, but hosts in the remote network.
When I run 'ping -S [lan-ip] [remote-ip]' i do reach remote hosts. But without the '-S [lan-ip]' it doesn't work. I can't bind unbound to a single LAN interface since it also needs to answer requests for the other LANs. Should i create a static route? "System > Routes > Status" shows a route is in place for the remote network on the WAN interface. But when i run 'route -v show [remote-ip]' it appears to goes out directly via the default (isp) gateway with no mention of enc0 or ipsec which seems fishy but maybe normal?
Please bear in mind i'm new to OPNsense (a rookie mistake is quite possible / likely).