Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Route OpenVPN Site into IPSec Site
« previous
next »
Print
Pages: [
1
]
Author
Topic: Route OpenVPN Site into IPSec Site (Read 3151 times)
mliebherr
Newbie
Posts: 25
Karma: 0
Route OpenVPN Site into IPSec Site
«
on:
February 10, 2021, 04:45:33 pm »
Hello,
i have two Sites.
Site A with OpenVPN and connected to Site B with IPSec i dont manage.
Now i would like to route the OpenVPN Traffic into the remote IPSec Site.
I am not able to add a 2nd Phase2 Net, since this is already being used.
I want to NAT (one way) in the OPNSense which is in between.
My Setup Looks like this:
I can see a icmp request coming in at the OpenVPN Tunnel interface:
~ # tcpdump -i ovpns10 -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ovpns10, link-type NULL (BSD loopback), capture size 262144 bytes
16:41:42.359229 IP 10.242.19.6 > 10.228.22.210: ICMP echo request, id 1, seq 17849, length 998
But it then leaves my WAN Interface (Default route):
~ # tcpdump -i igb1 -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:42:24.983414 IP 212.87.134.194 > 10.228.22.210: ICMP echo request, id 26116, seq 17850, length 998
And seems not beeting NATed. Why did the rule here not match?
I espected it to change it t 172.18.161.254 > 10.228.22.210
Cheers,
Michael
Logged
Gauss23
Hero Member
Posts: 766
Karma: 39
Re: Route OpenVPN Site into IPSec Site
«
Reply #1 on:
February 10, 2021, 05:15:09 pm »
Why do you have WAN as interface in your manual NAT rule?
Logged
„The S in IoT stands for Security!“
mliebherr
Newbie
Posts: 25
Karma: 0
Re: Route OpenVPN Site into IPSec Site
«
Reply #2 on:
February 11, 2021, 09:12:53 am »
I changed the Interface to "Openvpn".
I cleared the NAT Table and ran the icmp Ping again.
The Ping still leaves the WAN (igb1) interface. I would have expected it to jump into my enc0 VPN tunnel?!
What am i doing wrong?
Logged
Gauss23
Hero Member
Posts: 766
Karma: 39
Re: Route OpenVPN Site into IPSec Site
«
Reply #3 on:
February 11, 2021, 09:15:14 am »
Why OpenVPN? You need to specify the outgoing interface, Try it with IPsec.
As far as I remember there was some issue with natting traffic into an IPsec policy based tunnel. Maybe someone else has to say something about that.
Logged
„The S in IoT stands for Security!“
mliebherr
Newbie
Posts: 25
Karma: 0
Re: Route OpenVPN Site into IPSec Site
«
Reply #4 on:
February 11, 2021, 09:35:09 am »
well, you are right. I changed it to IPSec.
However the ping still leaves the WAN (igb1) interface.
(Therefore the outbound nat rule in IPSEC will not match?)
Logged
Gauss23
Hero Member
Posts: 766
Karma: 39
Re: Route OpenVPN Site into IPSec Site
«
Reply #5 on:
February 11, 2021, 09:51:00 am »
Maybe someone else has an idea to solve that. I think this is related to the issue I have in mind. I never needed to NAT outgoing traffic into an IPsec tunnel.
Logged
„The S in IoT stands for Security!“
mliebherr
Newbie
Posts: 25
Karma: 0
Re: Route OpenVPN Site into IPSec Site
«
Reply #6 on:
February 11, 2021, 04:54:03 pm »
Thanks for your help. At least you brought me to the right direction.
Solution: "Manual SPD entries" in the IPSec Phase2:
Register additional Security Policy Database entries
Strongswan automatically creates SPD policies for the networks defined in this phase2. If you need to allow other networks to use this ipsec tunnel, you can add them here as a comma-separated list.When configured, you can use network address translation to push packets through this tunnel from these networks.
e.g. 192.168.1.0/24, 192.168.2.0/24
Then the paket got passed to the enc0 interface and the Outgoing NAT Rule was hit.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Route OpenVPN Site into IPSec Site