Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
How to route networks accross site-to-site IPsec-VPN tunnel ?
« previous
next »
Print
Pages: [
1
]
Author
Topic: How to route networks accross site-to-site IPsec-VPN tunnel ? (Read 5180 times)
hhk
Newbie
Posts: 3
Karma: 0
How to route networks accross site-to-site IPsec-VPN tunnel ?
«
on:
February 08, 2019, 08:07:55 am »
Hi All, I am trying to route b/w two sites over the VPN in the following scenario.
10.10.11.0/24 ----[Opnsense A]<---ipsec vpn --->[Opnsense B]---172.16.1.0/24---[Router] --- Network [ 10.10.12.0/24, 10.10.13.0/24 ... ]
From 10.10.11.0/24 I can reach 172.x.x.x however I cant reach 10.10.12.0/24,10.10.13.0/24 etc networks.
I created a gateway 172.16.1.1 (opnsense B Lan IP). Tried both int LAN/WAN and put in a static route in Opnsense A pointing 10.0.0.0/8 to 172.16.1.1.
When I start a ping from 10.10.11.2 I get the following from Opnsense A. Looks like it sees 172.16.1.1 as a LAN network and is doing ICMP re-direct.
PING 10.10.12.1 (10.10.12.1): 56 data bytes
36 bytes from 10.10.11.2: Redirect Host(New addr: 172.16.1.1)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 f0ae 0 0000 40 01 6f33 10.10.11.2 10.10.12.1
I guess there is something broken with my route. Using farside host as the next hop does not seem to be working.
How do I specify a route with ip-sec tunnel as the next hop ??.
Your input is much appreciated.
Thx
«
Last Edit: February 08, 2019, 08:26:01 am by hhk
»
Logged
bartjsmit
Hero Member
Posts: 2016
Karma: 194
Re: How to route networks accross site-to-site IPsec-VPN tunnel ?
«
Reply #1 on:
February 08, 2019, 08:41:57 am »
You need a static route for 10.10.11.0/24 on the router behind B (marked -[Router]- in your diagram) via 172.16.1.1 and also one for the IPSec tunnel subnet, unless your VPN is in transport mode.
Bart...
Logged
hhk
Newbie
Posts: 3
Karma: 0
Re: How to route networks accross site-to-site IPsec-VPN tunnel ?
«
Reply #2 on:
February 08, 2019, 11:08:59 am »
@Bart thanks for taking a look.
I already had the static route in the Router for Site A subnet. I am actually able to telnet to the router from Site A. Meaning I can get to anything in 172.16. network.
I turned on Packet capture on Site B IpSec interface. Tried to capture my host IP in Site A when pinging to 10.10.12.0/24,10.10.13.0/24 networks. I do not see anything. I am able to capture the pkts when pinging the router 172.16.x.x address. This tells me Site A is not sending traffic destined for 10.10.12.x over the tunnel.
I think my static routes on the firewall are broken. Would you happen to have an example of how the static routes are configured in this scenario ?.
Logged
bartjsmit
Hero Member
Posts: 2016
Karma: 194
Re: How to route networks accross site-to-site IPsec-VPN tunnel ?
«
Reply #3 on:
February 08, 2019, 04:37:54 pm »
I was going to suggest packet capture ;-)
System, Routes, Configuration. The status page shows the current routing table.
Bart...
Logged
hhk
Newbie
Posts: 3
Karma: 0
Re: How to route networks accross site-to-site IPsec-VPN tunnel ?
«
Reply #4 on:
February 08, 2019, 09:10:28 pm »
I was able to fix this by creating a second IKE phase 2 entry under my Tunnel Settings. That adds the necessary routes in the routing table.
It seems doing a static recursive route to far side VPN destination is not the supported method of doing this.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
How to route networks accross site-to-site IPsec-VPN tunnel ?