Connect two IPSec Tunnels via Firewall

Started by Horst4711, May 22, 2025, 02:05:19 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 22, 2025, 02:05:19 PM
Dear all,

I have a pretty simple setup and I struggle with the routing.

VPN1: IPSec VPN Tunnel for Road Warrior (setup with "Connections"). Clients connect and can access all hosts in the LAN network where the firewall sits.
VPN2: IPSec VPN Tunnel to connect the lan where the firewall sits with a remote site. (LAN<->LAN connection).

Both VPN work just fine individually. But when I want to access resources from a road warrior client in the remote network connected via VPN2 it does not work. The clients sends (e.g. ICMP) to the firewall through the tunnel, so the traffic selector on the mobile clients works, but the ICMP is not being forwarded to the VPN2 tunnel to reach the other network.

I assume that this is an effect of a missing route, because in the terminal of the OPNSense firewall I cannot ping the remote hosts on the other side of VPN2 neither. Now it's all straight Policy-based IPSec but I have the feeling that a Route-based approach with VTI is required in order to set the routes correct. Am I right with this assumption?

Thanks for your support

May 22, 2025, 02:37:45 PM #1
You have to add a phase 2 to the VPN2 to connect the road warrior tunnel subnet with the remote LAN.
May 22, 2025, 03:27:43 PM #2
Thanks for the hint.

After a client has connected, the SAs look like this from the OPNSense command line. I changed names and ip addresses and added a description:

So you say that the 172.16.230.0/24 need to be added to the VPN 2 as a local network, right? I have already done this be obviously the configuration has not been accepted. I added another child, rather than adding it the the existing child, with the following parameters:

Local Net: 172.16.230.0/24 with remote net 192.168.178.0/24.

Networks:

VPN Client: 172.16.230.1
Firewall LAN: 192.168.0.0
Remote LAN: 192.168.178.0


Code Select

swanctl --list-sas

no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'

//VPN 1 - Client VPN//

6e849653-d02d-4b7c-ab6e-91169c5256f5: #16436, ESTABLISHED, IKEv2, 7944574733476b27_i 38a8ba60fa9bf791_r*
  local  'firewall@firewall.de" @ 780.53.227.39[4500]
  remote 'client@client.de @ 876.187.125.147[30294] [172.16.203.1]
  AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
  established 10s ago, rekeying in 2389s
  8ce66365-34fc-451e-85ef-d5683a940bca: #42, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA2_256_128
    installed 10s ago, rekeying in 542s, expires in 650s
    in  c0e9b59b,      0 bytes,     0 packets
    out 07dcc5d1,      0 bytes,     0 packets
    local  172.16.203.0/24 192.168.0.0/24 192.168.178.0/24
    remote 172.16.203.1/32

//VPN 2 - LANtoLAN //

986be7ba-947e-4daa-84d8-287d9653f738: #16435, ESTABLISHED, IKEv1, 1f276ba6266b74a1_i 985345e1235d8ba4_r*
  local  'firewall@firewall.net' @ 212.53.227.39[500]
  remote 'externalsite@external.net' @ 949.933.157.115[500]
  AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
  established 1152s ago, rekeying in 12024s
  1855260b-c9c2-4082-8b08-a5209b2db278: #41, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
    installed 1132s ago, rekeying in 2128s, expires in 2828s
    in  c71f8bab, 151612 bytes,  1993 packets,     0s ago
    out d6008b19, 2623104 bytes,  2952 packets,     0s ago
    local  192.168.0.0/24
    remote 192.168.178.0/24





May 22, 2025, 03:48:46 PM #3
Quote from: Horst4711 on May 22, 2025, 03:27:43 PMSo you say that the 172.16.230.0/24 need to be added to the VPN 2 as a local network, right? I have already done this be obviously the configuration has not been accepted. I added another child, rather than adding it the the existing child, with the following parameters:

Local Net: 172.16.230.0/24 with remote net 192.168.178.0/24.
Did you add the respective p2 to the other site as well?
May 22, 2025, 04:43:11 PM #4 Last Edit: May 22, 2025, 04:47:43 PM by Horst4711
OK, here comes the dirty part of this setup. It's a Fritzbox on the other side.

As far as I understand the IPSec configuration of a fritzbox via conf files, only one phase2remoteid should be used (the network on the other side of the tunnel) and the traffic selection (routing) is done via the parameter "accesslist". Even if I add a second ipnet to the configuration the SAs on OPNsense do not change. I think this comes to an end, as I run into a compatibility issue with AVMs own IPSec implementation.

But here's me config file for reference:

Code Select
vpncfg {
        vpncfg_version = 3;
        global {
                wg_listen_port = 0;
        }
        connections {
                enabled = yes;
                editable = yes;
                use_ikev2 = no;
                conn_type = conntype_lan;
                name = "LANKopplung";
                boxuser_id = 0;
                always_renew = no;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = ::;
                remoteip = ::;
                local_virtualip = 0.0.0.0;
                remote_virtualip = 0.0.0.0;
                remotehostname = "aaa.bbb.net";
                keepalive_ip = 0.0.0.0;
                localid {
                        fqdn = "ccc.ddd.net";
                }
                remoteid {
                        fqdn = "aaa.bbb.net";
                }
                mode = phase1_mode_idp;
                phase1ss = "dh14/aes/sha";
                keytype = connkeytype_pre_shared;
                key = "key";
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 192.168.178.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = 192.168.0.0;
                                mask = 255.255.255.0;
                        }
                        ipnet {
                                ipaddr = 172.16.203.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2ss = "esp-all-all/ah-none/comp-all/pfs";
                accesslist = "permit ip any 192.168.0.0 255.255.255.0",
"permit ip any 172.16.203.0 255.255.255.0";
                app_id = 0;
                wg_persistent_keepalive = 0;
                wg_slave_network = 0.0.0.0;
                wg_slave_mask = 0.0.0.0;
                wg_hide_network = no;
                wg_fulltunnel = no;
                wg_configured = no;
        }
}
May 22, 2025, 05:46:10 PM #5
Yes, I read several times that there is only a single phase 2 possible, but I've never configured a FritzBox.

But maybe you can outwit it by configuring a common tunnel for both, your LAN and the road warrior tunnel subnet.

Say your LAN is 192.168.0.0/24, the road warrior tunnel is 192.168.1.0/24. So change the phase 2 to 192.168.0.0/23 for your site on both nodes. Then both subnet are routed through the tunnel from the remote site.
May 22, 2025, 06:16:16 PM #6
I had the exact same idea and I changed the RW network to 192.168.100.0 and then configured it with /16 in the LAN<->LAN tunnel. The subnetting could be more intelligent, like the one you suggested, but it's quick and dirty.

Due to the fact that there are no other networks in the remote LAN segment everything 192.168.x.x goes via the tunnel. All works now. I hope I will remember this whenever another subnet in this scope has to be routed.

Thanks for your support. This forum is awesome.

May 22, 2025, 06:50:48 PM #7
Yes, I was reluctant with the subnet size due to this is probably the most widely used range. But 192.168.0.0/24 is your LAN, which you might not want to change. So this is the worst range to use with VPN anyway.

But glad, that it's working now.
Print
Go Up Pages1
User actions