pushing remote access vpn packets into site-to-site tunnel

[mzaghouani]

Hello,

I have established a site-to-site tunnel between OPNsense(siteA) and a Cisco router(siteB) and i have access to remote attached networks from both sites. I also have established a remote access vpn with OPNsense(siteB) and i also had access to the remote network directly attached to OPNsense(siteB).

Otherwise, i was aiming to access the directly attached network to the Cisco router(siteA) from the vpn client, which is as i said previously connected to OPNsense(siteB), so i decided to add a second phase 2 entry to the network attached to the Cisco router(siteA) and i added the virtual network address of the vpn client (which is configured in mobile client params) in the field called 'manual SPD entries' of the phase2 parameters of the site-to-site tunnel, then i created an outbound NAT rule in the IPSec interface to nat the vpn client address so that the traffic generated by the vpn client could pass through the site-to-site tunnel.

Unfortunetly, after this configuration, i couldn't access the directly attached network to the Cisco router(siteA) from the vpn client.

Is there any suggestion how can i change this configuration to finally reach the cisco router site from my vpn client connected to the OPNsense site?

[Patrick M. Hausen]

Phase 2 as well as manual SPD entries need to be coordinated between both sides of an IPsec connection.
From what you wrote I think you need to:
- push a route for the remote network behind the Cisco to your remote access VPN clients - unless they get a default route, anyway
- NAT the remote access network to some address that is in the local part of your existing phase2 entry/entries

HTH,
Patrick

[mzaghouani]

thanks pmhausen for your response.
VPN clients will use the tunnel to OPNsense to access the remote network behind Cisco because i have already added a phase 2 second entry in that tunnel.
I also natted the remote access network to one address of the OPNsense local network which is part of phase 2 entry of the site-to-site tunnel     

[Patrick M. Hausen]

I meant the remote access VPN clients. Do you push a route to the target network to them?
What remote access service are you using? OpenVPN? WireGuard? Or IPsec? Never tried the latter - it's a mess with road warriors.

[mzaghouani]

First, i don't use a route for the target network concerning the vpn clients, but when i do a packet capture of the IPSec interface (in OPNsense) i can see the packets from the vpn client to the target (cisco network) so the trafic can reach OPNsense but it is not actually forwarded to the target.
Second, I use IPSec for remote access VPN, so do you suggest that i change it for my case?

[Patrick M. Hausen]

I don't suggest anything at this point, only state that I lack experience with IPsec for road warriors in recent years because I found it to be rather complicated and unreliable. Back in the days you always needed some proprietary VPN client like Shrew Soft etc. And then the mess with the certificates ...

OK, that aside ...

Obviously your remote access network is not part of a phase 2 entry for your site-to-site VPN. So the packets don't enter the tunnel. That's expected behaviour for a policy based IPsec setup.

OPNsense also supports a route based setup. So I would read up in the docs on that. Probably your best bet to get it working if you cannot add the remote access network to phase2 at the Cisco side.

HTH,
Patrick