VPN routing Issues with Overlapping Remote Networks

Started by seroal, March 24, 2025, 10:12:56 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 24, 2025, 10:12:56 PM Last Edit: March 24, 2025, 10:14:38 PM by seroal
Hi,

I´m starting with OPNSense these days and currently I´m playing with IPSec VPN Tunnels, NAT and Firewallrules. I was able to create a NAT before IPSec Config with using seperate SPD entries. In my case, Traffic from 192.168.55.0 to 10.0.0.0/8 needs to be nated behind e.g. 10.105.0.1.

Now I ran into an network overlap issue, when I created a second tunnel, where the remote network is a /8. The first tunnel is a /16. Both destination networks starting with the same number 10.x.x.x.

My internal real network is 192.168.55.0/24

My first tunnel is:
IPSec Local Net         IPSec Remote Net   
192.168.55.0/24         10.109.0.0/16


And the second one:
IPSec Local Net         IPSec Remote Net   
10.105.0.0/24         10.0.0.0/8


Now, when I activate the necessary SPD entry (Source 192.168.55.0, Destination 10.0.0.0/8) to allow the necessary SNAT to work, in that very moment after I restart tunnel2 all destinations in 10.109.0.0/16 are not reachable anymore.


It seems, that routing for destinations in 10.109.0.0/16 are not routed correctly anymore. In my case I try to access https://10.109.109.22 over the tunnel, but I suspect, that the request is being routed into the wrong tunnel. Can I use tcpdump on enc0 and capture the traffic to 10.109.109.22 and see in which tunnel the traffic is going to?


Any ideas to solve this issue without changing destination network from tunnel2? Normally I would expect, that the more exact routes will be used prior to less matching networks.


Any ideas/hints? I´ve some infos are missing, please let me know.



Thanks,
Sebastian
March 24, 2025, 10:33:24 PM #1
Quote from: seroal on March 24, 2025, 10:12:56 PMAnd the second one:
IPSec Local Net        IPSec Remote Net 
10.105.0.0/24        10.0.0.0/8

Who needs a /8 local network range?
16 million IPs in the local network? I'm in doubt.^^
March 25, 2025, 11:29:41 AM #2
That´s another (maybe valid) question, but my question would also apply to any other similar setup... Like when you have 10.0.0.0/24 and 10.0.0.64/28....
March 25, 2025, 11:40:35 AM #3
One of the subnets must be natted on the remote site, so that one SPD goes to another subnet. You cannot solve it on your OPNsense.
Print
Go Up Pages1
User actions