VXLAN setup with IPsec same IP subnet

[vgsinno]

Hi all,

I try to build a VPN tunnel with IPsec and VxLAN between 2 locations and bridge same IP subnet on both side.
At first i build a configuration like below and it worked just fine.

[PC 192.168.1.2]<->[192.168.1.1/24 Bridge OPT1+VxLAN][OPNsense A][OPT2 10.1.0.2/16]<->{ ipsec tunnel}-INTERNET-{ipsec tunnel}-[10.2.0.2/16 OPT2][OPNsense B][192.168.2.1/24 Bridge OPT1+VxLAN]<->[PC 192.168.2.2]

then I followed this instruction "Reply #4": https://forum.opnsense.org/index.php?topic=37182.msg182040#msg182040

[PC 192.168.1.3]<->[192.168.1.1/24 Bridge OPT1+VxLAN][OPNsense A][OPT2 10.1.0.2/16]<->{ ipsec tunnel}-INTERNET-{ipsec tunnel}-[10.2.0.2/16 OPT2][OPNsense B][192.168.1.2/24 Bridge OPT1+VxLAN]<->[PC 192.168.1.4]

it didn't worked

VxLAN edited like this on A:
Source address: 10.1.0.2
Remote address: 10.2.0.2

Hypervisor: Proxmox

Now I have few questions

1.

• Can it be the normal "IPsec"
• The VTI route based https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html

or doesn't matter?

2.Does the OPNsense support such configuration, if yes, where is the mistake or where did i forgot something?

Thanks

[Saverio Loiacono]

I have the same problem.

Opnsense support this configuration ?


Thanks

[Monviech (Cedrik)]

Yeah you can do it easily with ipsec and a small trick.

- Create loopback interfaces on both sides.
- Create a policy based IPsec tunnel between the loopback interfaces.
- Create the vxlan interfaces and make them use the loopback interfaces to connect with each other over the ipsec tunnel.
- Adjust the MTU and MSS because vxlan and ipsec create protocol overhead.
-Bridge the vxlan interfaces and the LAN interfaces, use that bridge assigned to an interface. The tutorial how to create a transparent filtering bridge helps here.

With a aetup like that I have connected opnsenses with vxlan, but also created raspberry pis that bridged the lan of the main OPNsense directly out of their ports. So its all doable with some effort and tests.

[vgsinno]

Finally !!!

thank you so much it worked

[muchacha_grande]

Hi, Monviech,
you pointed out something interesting that I'd like to investigate. The raspberry pis bridged with opnsense.
Thank you for rising this up.

[Monviech (Cedrik)]

I have used CM4 with Waveshare 2 port boards. That worked really well, really good performance too, I think I got around 600mbit/s.

[muchacha_grande]

Did you use Opnsense for RPi4 or some other router as OpenWRT ?

[Monviech (Cedrik)]

No I just used Ubuntu.

[muchacha_grande]

Excellent, thank you and cheers...