Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
IPSec site to site
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPSec site to site (Read 3630 times)
bruci3
Newbie
Posts: 20
Karma: 0
IPSec site to site
«
on:
May 23, 2019, 01:58:06 am »
Hi guys,
I have setup IPSec site to site and it is currently connected (established) but its things are not reachable.
SITE A
LAN
Cisco 3750 switch
Proxmox with VM Opnsense firewall/router (IPsec site to site tunnel)
SITE B
Debian shorewall firewall (strongswan ipsec site to site)
Cisco 3750 switch
LAN
So far, I can ping from any computer from Site A to Site B excluding the Opsnese firewall.
So if I ping from Opnsense firewall to Site B, I get a generated firewall log:
Interface Source Destination Proto
WAN SiteA Public IP SiteB Local LAN IP ICMP
Any ideas?
Logged
bruci3
Newbie
Posts: 20
Karma: 0
Re: IPSec site to site
«
Reply #1 on:
May 23, 2019, 03:04:40 am »
I am running TCPDump on my ipsec site to site interface.
If I ping from a computer in SiteA to SiteB it shows traffic for this successfully.
If I ping from my Firewall in SiteA to SiteB, nothing shows up in TCPdump for ipsec interface.
However, the firewall pings show up under the WAN interface instead which I think is the issue.
I assume this means that my Firewall pings to SiteB are not going through the Site to Site IPsec tunnel but exiting directly via WAN interface?
So how do I make the traffic from the firewall in SiteA to SiteB go through the IPSec site to site interface?
«
Last Edit: May 23, 2019, 03:15:18 am by bruci3
»
Logged
bruci3
Newbie
Posts: 20
Karma: 0
Re: IPSec site to site
«
Reply #2 on:
May 23, 2019, 06:16:34 am »
Ok I almost got this all working now.
Everything from SiteA can reach SiteB except for Firewall (from SiteA).
Everything from SiteB can reach SiteA no issues, even the firewall can reach SiteA firewall.
So only last issue is, the firewall on SiteA cannot reach anything on SiteB.
I suspect its some weird NAT issue or a firewall rule I am missing.
Please help?
Logged
bruci3
Newbie
Posts: 20
Karma: 0
Re: IPSec site to site
«
Reply #3 on:
May 23, 2019, 08:33:14 am »
I found this guide here, which seems to be related to my exact issue:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/accessing-firewall-services-over-ipsec-vpns.html
So I created the GW and route which now seems to push the traffic from my firewall correctly over the IPSec tunnel.
However its still not working, seems traffic from the Firewall never leaves SiteA.
The only thing that I notice that might be causing this issue is below:
If I ping from a PC in SiteA to SiteB, tcpdump shows this:
16:26:44.926095 (authentic,confidential): SPI 0xc39181b2: IP 192.168.1.30 > 172.16.7.20: ICMP echo request, id 1, seq 5767, length 40
16:26:44.966963 (authentic,confidential): SPI 0xcbda3874: IP 172.16.7.20 > 192.168.1.30: ICMP echo reply, id 1, seq 5767, length 40
If I ping from the firewall in SiteA to SiteB, tcpdump shows this instead:
16:26:36.071993 (authentic,confidential): SPI 0xc39181b2: IP FirewallName.Domain > 172.16.7.20: ICMP echo request, id 64118, seq 1, length 64
So no echo reply. But it does not show the source as my Firewalls IP, but rather the Hostname of my firewall. Could this be causing the issue? If so, how do change this to IP address instead?
Logged
bruci3
Newbie
Posts: 20
Karma: 0
Re: IPSec site to site
«
Reply #4 on:
May 24, 2019, 04:05:48 am »
I am convinced this is a bug of some sort.
I just setup a new site to site from Opnsense to an AWS site and everything can ping each other from both sides, but once again only thing not working is pinging from Opnsense firewall to anything in AWS site.
I cannot see any logical reason this fails.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
IPSec site to site