Additional VPN using existing IPsec Tunnel

Started by jimjohn, April 30, 2021, 12:42:19 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 30, 2021, 12:42:19 PM
Hi all,

as you see in the attached screenshot, I have two locations being coupled by an IPsec Tunnel which is managed by the router. Each location has an OPNsense appliance, which is not directly exposed to the internet.

I have LAN-LAN coupling already, which works okay. Now I want to enable a cross-access from DMZ_1 to BKP_2 and vice-versa, whereas "DMZ" is actually not reachable from the internet but still behind the VPN of the router. Nothing should be exposed to the internet, except the encrypted VPN traffic.

What would be the best approach to achieve this?

BTW: I probably would use 172.X.X.X IPs for the VPN tunnel just to have a clearer separation for easier administration.

Thanks for your tips in advance!

May 04, 2021, 11:29:49 AM #1
Anyone?  :(
May 04, 2021, 12:07:42 PM #2
Just add the subnets as an additional phase 2 entry. With both gateways being OPNsense there should not be anything extra to configure, although "Tunnel Isolation" in phase 1 might be necessary - I honestly don't know.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 04, 2021, 12:08:34 PM #3
Thanks for your answer, would you use IPsec or OpenVPN? And why?
May 04, 2021, 01:01:56 PM #4
You have an established IPsec tunnel and want to route additional subnets. Why would you use anything else just for those?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 04, 2021, 04:09:15 PM #5 Last Edit: May 04, 2021, 04:11:52 PM by jimjohn
The topology above is simplified. There are other devices outside the "control" of the OPNsense directly attached to either router. Because this IPsec tunnel is used from "not trustworthy" devices, such as smartphones etc. and multiple users in the net "above" the OPNsense. I want to have a OPNsense <=> OPNsense VPN tunnel which is one layer below the router's plus I do not want to expose the OPNsenses directly to the internet, because that would mean an additional port forward on either router, which I'd like to avoid as well.

Example: traffic is encrypted transport-wise by the IPsec tunnel of the router from router (A) to router (B). So far so good. But if I render both the router and / or devices in the router's subnet as "not trustworthy", I need to have a second level of encryption between the OPNsenses to complete separate the communication of DMZ <=> BKP.
Print
Go Up Pages1
User actions