Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
IPSEC VTI Tunnel not working as PBR GW
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPSEC VTI Tunnel not working as PBR GW (Read 3576 times)
zer0k
Newbie
Posts: 14
Karma: 0
IPSEC VTI Tunnel not working as PBR GW
«
on:
December 12, 2023, 01:12:45 am »
I can't quite seem to work out how to get my VTI based IPSEC tunnel working, and need another set of eyes.
The frustrating thing is it works on pfsense, and I'll be damned if I use that!
This is from an OPNsense firewall to a cloud based IPSEC termination point
I'm using Legacy mode and the tunnel appears to come up just fine and is shown in VPN status overview.
I am using a /31 as the inside tunnel addresses and they show in the routing table.
But, when I try and add a gateway and ping the inside /31 at the other end it does not work.
The gateway always shows as offline / defunct, and also doesn't work if I turn off monitoring
No traffic flows over the tunnel whether it is sourced from the firewall or an internal host.
I have tried messing with outbound NAT rules, and doing policy based routing.
Not sure where to go from here as this should be straightforward and it works in pfsense and doesn't work in opnsense.
What logs can I delve in to, or provide to try and fix it?
«
Last Edit: December 12, 2023, 04:57:35 pm by zer0k
»
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1622
Karma: 178
Re: IPSEC VTI Tunnel not working as PBR GW
«
Reply #1 on:
December 12, 2023, 11:29:46 am »
You could try to use the new Connections Menu for the VTI tunnel. I have done multiple working ones and have also helped people before with them.
Here are the docs, and also a thread where you can read about possible issues and I also pasted some configs there.
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn-route.html
https://forum.opnsense.org/index.php?topic=36254.msg176819#msg176819
Also, careful with the tunables. Read the whole thread beforehand. (I mean System: Settings: Tunables: etc...)
Logged
Hardware:
DEC740
zer0k
Newbie
Posts: 14
Karma: 0
Re: IPSEC VTI Tunnel not working as PBR GW
«
Reply #2 on:
December 13, 2023, 06:42:18 am »
Tried your approach using the new connections method and got a little closer.
The firewall can now ping the inside /31 of the other end, but clients can't pass traffic.
Seems like maybe a NAT issue, or some weird setting somewhere.
I have not added a route, as I want to use PBR to send all traffic from specific hosts over the tunnel, so ideally I want to use a firewall rule, and specify the VTI interface as the gateway
Single gateway pointing at the VTI interface looks good and health monitoring is working.
If I try and set the VTI interface as the gateway in a firewall rule I get these errors immediately, but I'm not sure if it's cosmetic or a show stopper?
You can't set an IP address on the interface because it's a tunnel interface
Error firewall There were error(s) loading the rules: no IP address found for ipsec10ip
Error firewall /usr/local/etc/rc.reload_all: The command '/sbin/pfctl -f /tmp/rules.debug.old' returned exit code '1', the output was 'no IP address found for ipsec10ip /tmp/rules.debug.old:50: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded'
Error firewall There were error(s) loading the rules: no IP address found for ipsec10ip
Error firewall /usr/local/etc/rc.newwanip: The command '/sbin/pfctl -f /tmp/rules.debug.old' returned exit code '1', the output was 'no IP address found for ipsec10ip /tmp/rules.debug.old:50: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded'
«
Last Edit: December 13, 2023, 07:19:26 am by zer0k
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
IPSEC VTI Tunnel not working as PBR GW