"
Hi,
I have an issue with an IPsec tunnel in a host to network configuration (I don't control both ends). The network configuration is like so:
And the tunnel is:
OPNsense is on the 1.1.1.1 side, the other side is out of my hands. This worked just fine with previous Linux-based routers but OPNsense seems to be having some issues. As far as I can tell, it is unable to route packets back correctly when communications are intiated from the other side. i.e. If I contact a host 172.18.1.1, OPNsense nats the local address to the tunnel endpoint address (which is also the public address), recognises it is for the tunnel, routes it over the tunnel, 172.18.1.1 responds and all is fine.
However, if comms is initiated from the other end it does not work. I have a port forward set up on the IPSEC interface for port 80. 172.18.1.1 attempts to connect, the packet comes in on the tunnel, it is forwarded to the internal computer (192.168.1.1), the computer responds, OPNsense nats the local address back to the tunnel endpoint address, then, instead of routing over the tunnel it tries to send the packet over the public network. It appears as if it is ignoring the policy. I have replicated this between two OPNsense routers.
Can anyone suggest how I may be able to fix this? It seems like a similar issue to https://github.com/opnsense/core/issues/1773
Cheers,
Justin.
I have an issue with an IPsec tunnel in a host to network configuration (I don't control both ends). The network configuration is like so:
Code Select
192.168.1.0/24--1.1.1.1[1.1.1.1]...2.2.2.2[2.2.2.2]--172.18.1.0/24And the tunnel is:
Code Select
1.1.1.1===172.18.1.0/24OPNsense is on the 1.1.1.1 side, the other side is out of my hands. This worked just fine with previous Linux-based routers but OPNsense seems to be having some issues. As far as I can tell, it is unable to route packets back correctly when communications are intiated from the other side. i.e. If I contact a host 172.18.1.1, OPNsense nats the local address to the tunnel endpoint address (which is also the public address), recognises it is for the tunnel, routes it over the tunnel, 172.18.1.1 responds and all is fine.
However, if comms is initiated from the other end it does not work. I have a port forward set up on the IPSEC interface for port 80. 172.18.1.1 attempts to connect, the packet comes in on the tunnel, it is forwarded to the internal computer (192.168.1.1), the computer responds, OPNsense nats the local address back to the tunnel endpoint address, then, instead of routing over the tunnel it tries to send the packet over the public network. It appears as if it is ignoring the policy. I have replicated this between two OPNsense routers.
Can anyone suggest how I may be able to fix this? It seems like a similar issue to https://github.com/opnsense/core/issues/1773
Cheers,
Justin.
