Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
16.7 Legacy Series
»
IPSEC overlaps
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPSEC overlaps (Read 6464 times)
dragon2611
Jr. Member
Posts: 94
Karma: 4
IPSEC overlaps
«
on:
December 29, 2016, 03:41:14 pm »
Opnsense doesn't seem to handle IPSEC overlapping PH2 very well compared with pfSense and most other platforms I've used which seems to be fine with it.
For instance say I have
192.168.1.0/24 > 10.0.0.0/8 in one tunnel with it's own PH1/PH2
Then in a separate tunnel i have
192.168.1.0/24 > 10.1.0.0/24 with it's own PH1 and PH2
I'd expect the more specific PH2 to match (I.e the /24 as that's a more specific route than /8) but it looks like it's just whatever is the highest connection in the list (E.g Con1)
Logged
dragon2611
Jr. Member
Posts: 94
Karma: 4
Re: IPSEC overlaps
«
Reply #1 on:
January 04, 2017, 09:21:35 am »
Bump
Any ideas?
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: IPSEC overlaps
«
Reply #2 on:
January 04, 2017, 03:54:30 pm »
Hi dragon,
First of all sorry, a bit busy behind the scenes in prep for 17.1.
If pfSense handles this better it can only be the management code / config write code. I am unsure where to look exactly. Is this a problem in the strongswan configs, do you happen to know?
Cheers,
Franco
Logged
dragon2611
Jr. Member
Posts: 94
Karma: 4
Re: IPSEC overlaps
«
Reply #3 on:
January 04, 2017, 04:09:14 pm »
No Idea, but if I get a chance I might be able to go have a look later.
Can't get into that box at the moment as I'm remote and it looks like either ovpn or opnsense has fallen over (It dropped out and won't reconnect)
Worst part of that Is I do have OVPN roadwarrior setup on my other opnsense install at the other site but I haven't got the config/certs for that on this laptop, something I need to fix when I get home.
Edit: For clarity I use IPSEC for site2site and OVPN for roadwarrior (Laptop/mobile.etc)
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: IPSEC overlaps
«
Reply #4 on:
January 04, 2017, 04:41:27 pm »
Hi dragon,
Alright, that would be very helpful.
Cheers,
Franco
Logged
dragon2611
Jr. Member
Posts: 94
Karma: 4
Re: IPSEC overlaps
«
Reply #5 on:
January 04, 2017, 06:45:37 pm »
Sent you a PM, hope you don't mind but I'd prefer not to just post the entire IPSEC config to the whole forum.
tbh not sure how useful it is because to make the config the same I'd have to revert the changes I made to work around the problem (I.e I removed the /8 and put more specific routes in and set tunnel isolation)
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
16.7 Legacy Series
»
IPSEC overlaps