Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
IPsec Site-to-Site - no access from OPNsense service
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPsec Site-to-Site - no access from OPNsense service (Read 1703 times)
Tubs
Full Member
Posts: 100
Karma: 3
IPsec Site-to-Site - no access from OPNsense service
«
on:
May 03, 2020, 11:15:00 am »
Hello,
I assume I have a
routing or firewall issue on OPNsense side
, but I am running out of ideas where to search.
Under OPNsense I have set-up a site-to-site VPN with IPsec. On OPNsense side it is connected to the DMZ interface and its network. On remote site it is connected to a single host and the routed network.
Code:
[Select]
DMZ (192.168.10.0/24) --> IPSec ------------> libreswan --> centos host (10.10.1.1/24)
What is
not working is a connection from service on OPNsense to the remote host
. To be precise I cannot reach the remote host by the plugin RFC2136 to do DNS updates via port 53/udp.
Firewall allows all from DMZ network to routed network. Connection between devices in DMZ network and remote host are working. Out of DMZ network I can reach my target port. So all fine on remote side.
Logged
Mitheor
Newbie
Posts: 36
Karma: 1
Re: IPsec Site-to-Site - no access from OPNsense service
«
Reply #1 on:
May 03, 2020, 11:47:06 am »
Hi,
have you run a tcpdump in the remote machine and in both IPSEC peers to check if those dns updates are being encapsulated / allowed?
Logged
Tubs
Full Member
Posts: 100
Karma: 3
Re: IPsec Site-to-Site - no access from OPNsense service
«
Reply #2 on:
May 06, 2020, 03:12:35 am »
Thanks's for help.
How to use tcpdump in a way to be helpful I do not know.
But my problem is solved. it is working now. I did nor really changes something, at least not on purpose. But after rebooting both machines it is working as expected. No idea what was wrong.
I will observe if this now is running stable.
Logged
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: IPsec Site-to-Site - no access from OPNsense service
«
Reply #3 on:
May 06, 2020, 07:55:38 am »
OPNsense will use it's WAN IP when it tries to reach an IP inside the tunnel.
Two options, you will let the service know that it has to open connections with LAN IP (when daemon supports it), or you add a second SA to the tunnel with left network your WAN IP/32
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
Tubs
Full Member
Posts: 100
Karma: 3
Re: IPsec Site-to-Site - no access from OPNsense service
«
Reply #4 on:
May 06, 2020, 12:57:12 pm »
Thank you.
This now will help to search or setup in the right direction.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
IPsec Site-to-Site - no access from OPNsense service