Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Additional VPN using existing IPsec Tunnel
« previous
next »
Print
Pages: [
1
]
Author
Topic: Additional VPN using existing IPsec Tunnel (Read 2316 times)
jimjohn
Full Member
Posts: 128
Karma: 3
Additional VPN using existing IPsec Tunnel
«
on:
April 30, 2021, 12:42:19 pm »
Hi all,
as you see in the attached screenshot, I have two locations being coupled by an IPsec Tunnel which is managed by the router. Each location has an OPNsense appliance, which is not directly exposed to the internet.
I have LAN-LAN coupling already, which works okay. Now I want to enable a cross-access from DMZ_1 to BKP_2 and vice-versa, whereas "DMZ" is actually not reachable from the internet but still behind the VPN of the router. Nothing should be exposed to the internet, except the encrypted VPN traffic.
What would be the best approach to achieve this?
BTW: I probably would use 172.X.X.X IPs for the VPN tunnel just to have a clearer separation for easier administration.
Thanks for your tips in advance!
Logged
jimjohn
Full Member
Posts: 128
Karma: 3
Re: Additional VPN using existing IPsec Tunnel
«
Reply #1 on:
May 04, 2021, 11:29:49 am »
Anyone?
Logged
Patrick M. Hausen
Hero Member
Posts: 6826
Karma: 573
Re: Additional VPN using existing IPsec Tunnel
«
Reply #2 on:
May 04, 2021, 12:07:42 pm »
Just add the subnets as an additional phase 2 entry. With both gateways being OPNsense there should not be anything extra to configure, although "Tunnel Isolation" in phase 1 might be necessary - I honestly don't know.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
jimjohn
Full Member
Posts: 128
Karma: 3
Re: Additional VPN using existing IPsec Tunnel
«
Reply #3 on:
May 04, 2021, 12:08:34 pm »
Thanks for your answer, would you use IPsec or OpenVPN? And why?
Logged
Patrick M. Hausen
Hero Member
Posts: 6826
Karma: 573
Re: Additional VPN using existing IPsec Tunnel
«
Reply #4 on:
May 04, 2021, 01:01:56 pm »
You have an established IPsec tunnel and want to route additional subnets. Why would you use anything else just for those?
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
jimjohn
Full Member
Posts: 128
Karma: 3
Re: Additional VPN using existing IPsec Tunnel
«
Reply #5 on:
May 04, 2021, 04:09:15 pm »
The topology above is simplified. There are other devices outside the "control" of the OPNsense directly attached to either router. Because this IPsec tunnel is used from "not trustworthy" devices, such as smartphones etc. and multiple users in the net "above" the OPNsense. I want to have a OPNsense <=> OPNsense VPN tunnel which is one layer below the router's plus I do not want to expose the OPNsenses directly to the internet, because that would mean an additional port forward on either router, which I'd like to avoid as well.
Example: traffic is encrypted transport-wise by the IPsec tunnel of the router from router (A) to router (B). So far so good. But if I render both the router and / or devices in the router's subnet as "not trustworthy", I need to have a second level of encryption between the OPNsenses to complete separate the communication of DMZ <=> BKP.
«
Last Edit: May 04, 2021, 04:11:52 pm by jimjohn
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Additional VPN using existing IPsec Tunnel