Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
IPsec site-to-site: traffic only in one direction
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPsec site-to-site: traffic only in one direction (Read 3978 times)
wurmloch
Full Member
Posts: 101
Karma: 14
IPsec site-to-site: traffic only in one direction
«
on:
March 06, 2021, 09:04:26 pm »
Hi,
First of all, I must say that it is not my first IPsec config. But it's my first config with OPNsense.
Attached is the outline of my infrastructure. The configuration of the OPNsense A to C is the same, with the corresponding individual settings of IPs and remote subnets. The same applies to the firewall rules.
HOST A
canot
reach (ping, rdp) HOST C
HOST B canot reach (ping, rdp) HOST C
HOST C
can
reach (ping, rdp) HOST A
HOST C can reach (ping, rdp) HOST B
This is so strange, exasperating. I did not find any post / FAQ related to this behaviour, and I would really appreciate some hints / help!
Thank you,
Uwe
Logged
Gauss23
Hero Member
Posts: 766
Karma: 39
Re: IPsec site-to-site: traffic only in one direction
«
Reply #1 on:
March 06, 2021, 10:11:24 pm »
Is there a IPsec tunnel between all members (three tunnels) or is Net A routed through Net C to Net B (two tunnels)?
Sounds like you’re missing some firewall rules on the ipsec group.
Logged
„The S in IoT stands for Security!“
wurmloch
Full Member
Posts: 101
Karma: 14
Re: IPsec site-to-site: traffic only in one direction
«
Reply #2 on:
March 06, 2021, 10:45:28 pm »
2 tunnels:
A to C
B to C
I doublechecked firewall logs, no blocked packages.
Ping C to A goes through the tunnel
Ping A to C goes to upstream gateway of wan A and lost.
Thanks for your question!
Logged
wurmloch
Full Member
Posts: 101
Karma: 14
Re: IPsec site-to-site: traffic only in one direction
«
Reply #3 on:
March 07, 2021, 03:15:10 pm »
Hi,
here are the firewall rules of "HOST C", some are automagically created. I added manually:
- IPsec "Allow traffic to LAN net"
- WAN "Allow NAT-T to WAN" due to a block of NAT-T in the WAN firewall logs
Rules at HOST A and B are correspondingly identical.
Still at a loss
Uwe
Logged
wurmloch
Full Member
Posts: 101
Karma: 14
Re: IPsec site-to-site: traffic only in one direction
«
Reply #4 on:
March 10, 2021, 10:39:12 pm »
No idea, nobody?
Logged
wurmloch
Full Member
Posts: 101
Karma: 14
Re: IPsec site-to-site: traffic only in one direction
«
Reply #5 on:
March 11, 2021, 07:24:45 pm »
Quote from: wurmloch on March 07, 2021, 03:15:10 pm
here are the firewall rules of "HOST C", some are automagically created. I added manually:
Wow,
the last days IPsec on OPNsense C was disabled. I didn't want to keep it up while no time for testing.
Now, I switched it on again ... and all automatic generated IPsec related rules on the WAN interface are gone.
That's perfect, IPsec is what? Outdated, too complicated, nowhere in use?
</sarcasm>
Sorry for that. I am not a software engineer. Therfore my contribution to this fine open source project is small.
Logged
wurmloch
Full Member
Posts: 101
Karma: 14
Re: IPsec site-to-site: traffic only in one direction
«
Reply #6 on:
March 23, 2021, 10:10:32 pm »
OK, no solution.
I started from scratch and I chose the other path:
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html
It worked from the beginning. If you have problems with packets not going through the tunnel, just change your config to a routed IPSec Tunnel.
Just my 2 cents
Uwe
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
IPsec site-to-site: traffic only in one direction