Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
Policy based IPsec and gateways own traffic
« previous
next »
Print
Pages: [
1
]
Author
Topic: Policy based IPsec and gateways own traffic (Read 2271 times)
proctor
Newbie
Posts: 39
Karma: 2
Policy based IPsec and gateways own traffic
«
on:
January 19, 2021, 01:52:26 pm »
Hello,
a gateway sends traffic to IPsec policy based remote address with public address, not the local address for the policy.
If my gateway sends a dns request to a dns server which is connected through a policy based IPsec tunnel, the gateway uses the wan ip address for sending the request (and sends it to the wan). What would be the right way to let the gateway use the appropriate local ip address to send the request to the policy based remote address?
Till now we used routed IPsec where this is solved by routing. But an ongoing problem with routed IPsec in version 20.7. (
https://forum.opnsense.org/index.php?topic=18918.0
) leads me the policy based configuration.
Thanks for any hint,
Proctor
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: Policy based IPsec and gateways own traffic
«
Reply #1 on:
January 19, 2021, 02:14:54 pm »
The solution was posted here:
https://forum.opnsense.org/index.php?topic=18918.msg95130#msg95130
Cheers,
Franco
Logged
proctor
Newbie
Posts: 39
Karma: 2
Re: Policy based IPsec and gateways own traffic
«
Reply #2 on:
January 19, 2021, 03:36:25 pm »
Thanks for your fast reply!
Nevertheless i would like to understand (and solve) the issue i this thread. Additionally i think disabling hardware acceleration isn't a final solution for the issue in the other thread.
Regards,
Proctor
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: Policy based IPsec and gateways own traffic
«
Reply #3 on:
January 19, 2021, 04:47:05 pm »
It depends on the hardware used. From what I understood there is a particular hardware issue with cheaper boards failing cryptographic acceleration.
Cheers,
Franco
Logged
proctor
Newbie
Posts: 39
Karma: 2
Re: Policy based IPsec and gateways own traffic
«
Reply #4 on:
January 19, 2021, 05:39:51 pm »
I will keep that in mind and test it later. For the moment i remain on my testing of the policy based IPsec configuration.
I have a local network at the opnsense gateway 192.168.10.0/24 with 192.168.10.1 for the gateways interface.
I configured a policy for that local subnet with 192.168.20.0/24 as the remote subnet. I can reach the gateway by its ip address 192.168.10.1 from host 192.168.20.40 in the remote subnet.
I can ping the host 192.168.20.40 from the gateways management website only if i choose the appropriate source interface. But if the gateway sends a dns request to the host 192.168.20.40 the packet ist sent to the wan interface with wan ip as source.
How can i configure the gateway so that requests to 192.168.20.40 are sent to the IPsec remote subnet (with 192.168.10.1 as source address)?
Any hints are welcome,
Proctor
Logged
proctor
Newbie
Posts: 39
Karma: 2
Re: Policy based IPsec and gateways own traffic
«
Reply #5 on:
January 20, 2021, 10:42:01 am »
One possible solution is to configure an additional route to the remote network (192.168.20.0/24) and use the appropriate opnsense interface ip address as gateway. But i don't know if this configuration could lead to any side action.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
Policy based IPsec and gateways own traffic
