16
Virtual private networks / Route OpenVPN Site into IPSec Site
« on: February 10, 2021, 04:45:33 pm »
Hello,
i have two Sites.
Site A with OpenVPN and connected to Site B with IPSec i dont manage.
Now i would like to route the OpenVPN Traffic into the remote IPSec Site.
I am not able to add a 2nd Phase2 Net, since this is already being used.
I want to NAT (one way) in the OPNSense which is in between.
My Setup Looks like this:
I can see a icmp request coming in at the OpenVPN Tunnel interface:
~ # tcpdump -i ovpns10 -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ovpns10, link-type NULL (BSD loopback), capture size 262144 bytes
16:41:42.359229 IP 10.242.19.6 > 10.228.22.210: ICMP echo request, id 1, seq 17849, length 998
But it then leaves my WAN Interface (Default route):
~ # tcpdump -i igb1 -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:42:24.983414 IP 212.87.134.194 > 10.228.22.210: ICMP echo request, id 26116, seq 17850, length 998
And seems not beeting NATed. Why did the rule here not match?
I espected it to change it t 172.18.161.254 > 10.228.22.210
Cheers,
Michael
i have two Sites.
Site A with OpenVPN and connected to Site B with IPSec i dont manage.
Now i would like to route the OpenVPN Traffic into the remote IPSec Site.
I am not able to add a 2nd Phase2 Net, since this is already being used.
I want to NAT (one way) in the OPNSense which is in between.
My Setup Looks like this:
I can see a icmp request coming in at the OpenVPN Tunnel interface:
~ # tcpdump -i ovpns10 -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ovpns10, link-type NULL (BSD loopback), capture size 262144 bytes
16:41:42.359229 IP 10.242.19.6 > 10.228.22.210: ICMP echo request, id 1, seq 17849, length 998
But it then leaves my WAN Interface (Default route):
~ # tcpdump -i igb1 -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:42:24.983414 IP 212.87.134.194 > 10.228.22.210: ICMP echo request, id 26116, seq 17850, length 998
And seems not beeting NATed. Why did the rule here not match?
I espected it to change it t 172.18.161.254 > 10.228.22.210
Cheers,
Michael