Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
Getting opnSense to route over IPSec tunnel
« previous
next »
Print
Pages: [
1
]
Author
Topic: Getting opnSense to route over IPSec tunnel (Read 7730 times)
arandomadmin
Newbie
Posts: 8
Karma: 0
Getting opnSense to route over IPSec tunnel
«
on:
July 19, 2019, 03:23:10 am »
Hi All,
Hopefully an easy one, I've got an IPSec tunnel connecting two sites, that side of things is working, but there's one niggle.
There's an internal domain setup at each site, and for queries to site A's internal domain I want to direct unbound on opnSense at Site B to query site A's DNS and vice-versa, the overrides are set up and working but there's an issue.
The issue is that although all the hosts on the LAN net can see all the hosts on the remote net (and vice versa) the gateway itself tries to route traffic bound to the other site via its default gateway rather than through the IPSec tunnel.
I've tried some tweaks around routing/gateways but nothing seems to convince it to route out over the IPSec tunnel for that network.
If anybody can give me some pointers I'd appreciate it.
Thanks,
-A
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Getting opnSense to route over IPSec tunnel
«
Reply #1 on:
July 19, 2019, 09:14:34 am »
Do you have Install Policy in Phase1 enabled? What exactly do you mean with "can see"?
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
arandomadmin
Newbie
Posts: 8
Karma: 0
Re: Getting opnSense to route over IPSec tunnel
«
Reply #2 on:
July 19, 2019, 03:10:23 pm »
Install Policy is checked in my Phase 1 config.
From any host (except the gateway) on site A's network I can ping and connect to any host on site B without issue (by IP address obviously since name resolution doesn't work due to this issue).
e.g.
Site A gateway -> Any host (including gateway) on site B: Unable to connect (attempts to route to Site B's network via default gateway on WAN interface).
Any host (except gateway) on site A -> Any host on site B: Connects without issue.
Same is true in the reverse direction.
Basically the opnSense box is trying to route a connection to 192.168.1.1 out over the public internet rather than via the IPSec tunnel.
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Getting opnSense to route over IPSec tunnel
«
Reply #3 on:
July 19, 2019, 04:08:32 pm »
When you initiate the packet on the firewall itself it chooses the nearest interface, which is WAN, and WAN doesn't fit into your IPSEC SA, so this is correct behavior.
If you really need this you need a second P2 machting left your WAN IP and right the other network.
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
arandomadmin
Newbie
Posts: 8
Karma: 0
Re: Getting opnSense to route over IPSec tunnel
«
Reply #4 on:
July 20, 2019, 04:27:03 am »
OK, I created a new phase 2 on this site with;
Local Subnet = Local WAN address
Remote Subnet = Remote LAN network
And a matching Phase 2 at the other end (local and remote reversed of course), restarted IPSec on both ends.
Still trying to route 192.168.1.1 out the default gateway...
Also tried using "WAN Subnet" for local, and just the remote gateway IP for Remote (because the local gateway only really needs to be able to connect to that one box).
I can see all the requisite entries in the Security Policy Database, so I'm not sure what's going on :/
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Getting opnSense to route over IPSec tunnel
«
Reply #5 on:
July 20, 2019, 06:25:40 am »
Gateway Policy routing in Firewall rules active?
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
arandomadmin
Newbie
Posts: 8
Karma: 0
Re: Getting opnSense to route over IPSec tunnel
«
Reply #6 on:
July 23, 2019, 02:08:30 am »
Not familiar with that setting and can't find it.
Unless you are asking if I've got a gateway defined in any of my firewall rules? If that's the case then the answer is no.
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Getting opnSense to route over IPSec tunnel
«
Reply #7 on:
July 23, 2019, 05:55:38 am »
Screenshot of IPsec Status Overview please
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
arandomadmin
Newbie
Posts: 8
Karma: 0
Re: Getting opnSense to route over IPSec tunnel
«
Reply #8 on:
July 23, 2019, 07:12:45 am »
Not sure how to embed attached images inline in a post on this forum.
I've attached sanitised screenshots of;
- IPSec Status Overview
- IPSec Tunnel Settings
- IPSec Security Association Database
- IPSec Security Policy Database
Logged
arandomadmin
Newbie
Posts: 8
Karma: 0
Re: Getting opnSense to route over IPSec tunnel
«
Reply #9 on:
July 23, 2019, 07:15:26 am »
Didn't notice the "expand" button when I was looking at the status overview, here's the expanded version.
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Getting opnSense to route over IPSec tunnel
«
Reply #10 on:
July 23, 2019, 09:46:57 am »
Hm, looks OK .. can you do a packet capture showing that it leaves WAN?
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
arandomadmin
Newbie
Posts: 8
Karma: 0
Re: Getting opnSense to route over IPSec tunnel
«
Reply #11 on:
July 23, 2019, 02:17:22 pm »
Not entirely clear on what you're after, I've attached a screen grab of a tcpdump session attempting to traceroute to the DNS on the other site.
tcpdump was running on the WAN interface filtered using "host 192.168.1.1" (the remote gateway's IP address).
the .209 address is my nexthop (default gateway configured on the opnSense box)
Logged
arandomadmin
Newbie
Posts: 8
Karma: 0
Re: Getting opnSense to route over IPSec tunnel
«
Reply #12 on:
July 30, 2019, 05:03:40 am »
Any further suggestions?
As an interim (hopefully), dirty hack I've spun up a VM at each end that sits on the "LAN" segment and uses unbound to steer requests for the internal domain of the other location to the opposite end's DNS then added overrides on the gateways at each end to tell them to ask that Unbound for those domains, which works but it's a bit of a kludge.
i.e. gateway 192.168.1.1 has override for <other end internal domain> to 192.168.1.3 which runs unbound and forwards queries for that domain to 192.168.30.1 (gateway/DNS at the other end) and vice-versa.
Thanks
«
Last Edit: July 30, 2019, 09:40:48 am by arandomadmin
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
Getting opnSense to route over IPSec tunnel