Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
IPsec VPN Phase 2 Question
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPsec VPN Phase 2 Question (Read 1428 times)
spetrillo
Hero Member
Posts: 721
Karma: 8
IPsec VPN Phase 2 Question
«
on:
August 29, 2022, 04:30:36 pm »
Ok a stupid newbie question I think...
In my phase 2 configuration I have configured the remote subnet as a single host address. Is this wrong and I should be specifying the full subnet? Please see attached screen shot.
Logged
Patrick M. Hausen
Hero Member
Posts: 6841
Karma: 574
Re: IPsec VPN Phase 2 Question
«
Reply #1 on:
August 29, 2022, 04:35:25 pm »
This depends on your specific setup that you agreed upon with whoever is responsible for the other end of the tunnel. The networks need to perfectly match or the connection will not be established. Sometimes people put single hosts into an IPsec tunnel, sometimes /24 or even larger.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
spetrillo
Hero Member
Posts: 721
Karma: 8
Re: IPsec VPN Phase 2 Question
«
Reply #2 on:
August 29, 2022, 04:42:00 pm »
Ok so I am ok on that. The reason for this question was that I was reading the OPNsense config pages and this section got me thinking bc my phase 1 is up but I cannot seem to get phase 2 tunnels to activate:
Phase 1 works but no phase 2 tunnels are connected
Did you set the correct local and remote networks. A common mistake is to fill in the IP address of the remote host instead of its network ending with x.x.x.0
Common issues are unequal settings. Both ends must use the same encryption standard.
I also added the following, per the config pages to my WAN interface. Is this ok?
Firewall Rules Site A & Site B (part 1)
To allow IPsec Tunnel Connections, the following should be allowed on WAN for on sites (under Firewall ‣ Rules ‣ WAN):
Protocol ESP
UDP Traffic on Port 500 (ISAKMP)
UDP Traffic on Port 4500 (NAT-T)
Logged
Patrick M. Hausen
Hero Member
Posts: 6841
Karma: 574
Re: IPsec VPN Phase 2 Question
«
Reply #3 on:
August 29, 2022, 04:47:08 pm »
If you use a single host address, the remote side must use a single host address, too.
If you use a /24, the remote side must use a /24, too.
*All* settings (including but not limited to crypto parameters and timouts) must perfectly match. Otherwise the tunnel cannot be established. One parameter, network size, ... whatever not matching - no tunnel.
Specifically you cannot alter the networks you "route into the tunnel" without cooperation of the remote side. This is one of the most frequent questions, so I'm adding it here again.
IPsec site to site assumes administrative control over both sides or at least a reasonable cooperation.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
spetrillo
Hero Member
Posts: 721
Karma: 8
Re: IPsec VPN Phase 2 Question
«
Reply #4 on:
August 29, 2022, 05:09:58 pm »
Yes I am trying to put a site to site tunnel to a Rackspace hosted solution. They have control over their side and I have control over my side, but I can open a ticket for help and support.
Logged
spetrillo
Hero Member
Posts: 721
Karma: 8
Re: IPsec VPN Phase 2 Question
«
Reply #5 on:
August 29, 2022, 06:24:03 pm »
One additional question...
On my phase 2 entries I am specifying one host to connect to. In the screenshot it shows the host IP with a 128 next to it. I would expect to put 31 there but its greyed out. Is this ok?
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
IPsec VPN Phase 2 Question