Special Routing Issue

Started by jimjohn, October 20, 2021, 04:54:03 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 20, 2021, 04:54:03 PM
Hi,

I got two sites coupled via IPsec:

(A) is 10.X.X.X
(B) is 192.X.X.X

The IPsec tunnel works. Now at (A), I got an OPNsense appliance with a host connected that I want to reach from (B).


(B) == IPsec ==> (A) ==> OPNsense WAN IF ==> OPNsense LAN IF ==> Target Host

How can I achieve that? I do not see any packages coming in on the WAN IF of my OPNsense appliance (yes, log is on, yes catchall rule defined).

Thanks in advance!
October 20, 2021, 05:03:55 PM #1
IPsec and routing in general is not transitive. The fact that you can reach A from B does not imply you can reach anything "behind A".

That means that you must add an IPsec phase 2 entry with the network of your OPNsense LAN to your VPN connection. On both sides. Using "local" and "remote" accordingly.

So on VPN gateway at "A" that network is local, on the gateway at "B" it's remote.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 20, 2021, 05:26:18 PM #2
Thanks.

Since both VPN endpoints are Fritz.Boxes and I also have access to an OPNsense at (B), may it be easier to just build a VPN which is embedded into the IPsec tunnel (i.e. Wireshark, OpenVPN), put the origin host behind the OPNsense at (B) and let the OPNsenses take care of the routing?

If yes, how would I do that?
Print
Go Up Pages1
User actions