IPSEC Site to Site VPN

Started by WallaceTechUK, September 19, 2017, 11:46:19 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 19, 2017, 11:46:19 AM
Hi Guys.

Hope someone can push me in the right direction. I have two OpenSense servers at two separate locations. for example i have

Site A
Subnet 192.168.1.0
Subnet 192.168.2.0
Subnet 192.168.3.0

Site B
Subnet 192.168.4.0
Subnet 192.168.5.0
Subnet 192.168.6.0

Now i have followed the example in the Wiki see. https://wiki.opnsense.org/manual/how-tos/ipsec-s2s.html?highlight=vpn

I can start the VPN and i can pass traffic from 192.168.1.0 to 192.168.4.0 back and forth. Is there something i am missing to allow multiple subnets to be used as part of Phase 2?

Please let me know if you require any more info from me.

Thanks in advance.
September 19, 2017, 12:19:47 PM #1
Hi,

At my company we have two phase2. You can have as many phases 2 for each phase 1 you want

Regards.
September 19, 2017, 12:49:05 PM #2
In IKEv2 mode, all Phase 2 entries are meshed together unless the tunnel isolation mode is set.

So nicovell3 is right, just add multiple Phase 2 entries to your Phase 1 and that's it.

You cloud also make the netmask wider, but it may clash with your general network layout: 192.168.0.0/16.


Cheers,
Franco
September 19, 2017, 01:44:27 PM #3
Thanks for the replies chaps.

I have added multiple subnets to the Phase 2 but the issue i am facing is that none of them work apart from the subnet that the OpnSense servers are on.

Craig
September 19, 2017, 04:47:41 PM #4
Ok, So i have this working.

On the Phase 2 setup. The Local Network was set to LAN Net as per the documentation. What i have done is change this from LAN Net to Network and specified the LAN Subnet.

Example

Local Network
Type = Network
Address = 192.168.1.0/24

Remote Network
Type = Network
Address = 192.168.4.0/24

I can now see both networks from both sides.

Thanks again for your time to reply earlier.
September 19, 2017, 05:28:52 PM #5
Scrap the above message. I though this was working but its not.
September 19, 2017, 05:57:03 PM #6
Ok. So i am half way there. I can ping from one side of the Tunnel but not the other.

Site A

Ping 192.168.4.0 Reply Timed Out from 192.168.1.0

Site B

Ping 192.168.1.0 Reply Received from 192.168.4.0

Any ideas? I have checked the config on both OpnSense servers and they are the same. I must be missing something as the Tunnel is up and can ping from one site.

Any ideas?
September 19, 2017, 06:19:34 PM #7
Hi,

Maybe you aren't allowing some part of the traffic? You could place a tcpdump on each enc0 interface (this is the ipsec interface) and see if every packet is being routed through the tunnel.

Good luck!
Print
Go Up Pages1
User actions