How to establish a routed IPSec Tunnel

[dennis_u]

How can I establish a IPSec-VPN-Tunnel with an interface I can set routes to?

Code: [Select]

(10.10.0.0/16, 192.168.5.0/24) SRX --- INTERNET --- OpnSense (192.168.20.0/24, 192.168.255.1/32)

With the mode "Tunnel IPv4" I can reach either 10.10.0.0/16 or 192.168.5.0/24, based on the configuration of phase two's remote network. If I use "Manual SPD entries" the connection can be used for some time, but after some hours I have to swap the entries "remote network" and "manual SPD entries" two times to be able to reach both remote networks for a while.

Coming from Juniper VPN world I am used to create a tunnel interface and simply route the desired networks through the IPSec tunnel. But all my tries with the "route-based" mode in combination with a gateway were hopeless cases. Does someone have a good guide to create a tunnel interface I can use to route to?

[mimugmail]

Did you try the official docs? I wrote examples there

[dennis_u]

Did you try the official docs? I wrote examples there

Do you mean this one: https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html . Yes, sure. There are some points I did not understand. I cannot find the IP adresses 10.111.1.1 and 10.111.1.2 in the diagram and do not understand the purpose of these addresses in general. Furthermore if I configure it as described the box becomes unreachable (no ping, no ssh, no web) in the moment when the tunnel comes up (so I have to reboot without wan connection to undo the configuration).

[Gauss23]

Did you try the official docs? I wrote examples there

Do you mean this one: https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html . Yes, sure. There are some points I did not understand. I cannot find the IP adresses 10.111.1.1 and 10.111.1.2 in the diagram and do not understand the purpose of these addresses in general. Furthermore if I configure it as described the box becomes unreachable (no ping, no ssh, no web) in the moment when the tunnel comes up (so I have to reboot without wan connection to undo the configuration).

Those IPs are just examples. They are needed as a sort of transfer-net. They are used as an interface to route traffic. Policy based IPsec tunnels don’t use a transfer-net.
Do you use by coincidence IPs from that example somewhere else in your network? This would be an explanation for the box going „offline“.

[dennis_u]

Those IPs are just examples. They are needed as a sort of transfer-net. They are used as an interface to route traffic. Policy based IPsec tunnels don’t use a transfer-net.
Do you use by coincidence IPs from that example somewhere else in your network? This would be an explanation for the box going „offline“.

I used 10.255.255.1 and 10.255.255.2, which are not part of 10.10.0.0/16 . More IPs than mentioned in the first post are not used.

I read somewhere some minutes ago that "Install Policy" in phase 1 is a crucial point. So far it is activated (as it is needed for "Tunnel IPv4" mode), but I should deactivate it for route-based configs. Could try it now, but I am afraid of misconfiguration. Tomorrow, I am on side again. I do not want to saw the branch I'm sitting on 

[mimugmail]

It has to be unticked in route based

[dennis_u]

OK, I guess the checkbox of "Install Policy" was one piece of the problem. The second point was that the gateway did not become online. My solution was to remove all relevant configurations and start over again.

I'm happy to announce that the routed tunnel is fully working. Thanks a lot.

Regarding the "Tunnel IPs": they should be used carefully, since I realized that the syslog messages of this box are sent with the source IP 10.111.1.1, now (configured as "Local Address").

By the way, one additional hint for the opnSense GUI. If I configure 10.111.1.1 as Local Address and 10.111.1.2 as Remote Address, the IPSec Overview (menu Tunnel Settings) says in column Remote Gateway 10.111.1.1 . Guess, this is not correct.

[dennis_u]

One additional question to this topic:

I have two route-based IPSec tunnels. In most cases (but not everytime) after establishing the tunnels I have to deactivate and re-activate the routes (tick the checkboxes to disable, apply, untick the boxes, apply). After that, the traffic is possible immediately.

This is annoying since it also happens after reboots (e.g. because of updates).