OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Virtual private networks »
  • OPNsense with Site-to-Site IPsec configured steals other routed IPsec traffic
« previous next »
  • Print
Pages: [1]

Author Topic: OPNsense with Site-to-Site IPsec configured steals other routed IPsec traffic  (Read 1354 times)

kokel

  • Newbie
  • *
  • Posts: 2
  • Karma: 0
    • View Profile
OPNsense with Site-to-Site IPsec configured steals other routed IPsec traffic
« on: January 11, 2022, 10:06:29 am »
Hello,

we are running OPNsense (Business Repo) on 2x Sophos SG330 hardware in HA with versions:

Code: [Select]
OPNsense 21.10.1-amd64
FreeBSD 12.1-RELEASE-p21-HBSD
OpenSSL 1.1.1l 24 Aug 2021
On wan side our ISP routes a /26 IPv4 public subnet to our wan carp address.
Theses additional IP addresses are configured as IP aliases on the wan interface, also.

We are running an IPsec Site-to-Site tunnel terminated on the OPNsense configured on one of the public ip which is configured as ip alias on WAN interface (as all others, also), e.g. this IP is 1.1.1.1

Additional for another public ip we do BINAT. All traffic for that ip is natted to a direct connected interface/subnet to a fortinet device, which should establish another Site-to-Site IPsec tunnel, but this doens't work.

We have noticed that the charon process on the opnsense listens on all ip addresses on the opnsense, so the opnsense steals all ipsec traffic, even that traffic for public ips which are not configured on the ipsec service on the opnsense:

Code: [Select]
2022-01-11T09:59:07 charon[10012] 12[NET] <1989> sending packet: from 2.2.2.2[500] to x.x.x.x[500] (36 bytes)
2022-01-11T09:59:07 charon[10012] 12[ENC] <1989> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2022-01-11T09:59:07 charon[10012] 12[IKE] <1989> no IKE config found for 2.2.2.2...x.x.x.x, sending NO_PROPOSAL_CHOSEN
2022-01-11T09:59:07 charon[10012] 12[ENC] <1989> parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) ]
2022-01-11T09:59:07 charon[10012] 12[NET] <1989> received packet: from x.x.x.x[500] to 2.2.2.2[500] (392 bytes)
Code: [Select]
all udp x.x.x.x:500 10.0.0.2:500 NO_TRAFFIC:SINGLE
2.2.2.2 - Public ip / ip alias on wan interface / binat to internal rfc1918 address / fortinet / not related to ipsec terminated on opnsense
10.0.0.2 - internal rfc1918 ip of fortinet device
x.x.x.x - vpn endpoint ip for fortinet on the internet

How can we achieve that the opnsense ipsec stack doesn't listen for the ip 2.2.2.2 anymore in order to nat and forward this traffic rather than handling it itself?

Any help appreciated. Let me know if more details are needed.

Thanks, kokel
Logged

kokel

  • Newbie
  • *
  • Posts: 2
  • Karma: 0
    • View Profile
Re: OPNsense with Site-to-Site IPsec configured steals other routed IPsec traffic
« Reply #1 on: September 04, 2022, 09:30:46 pm »
Any suggestions? Problem isn't solved yet.
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Virtual private networks »
  • OPNsense with Site-to-Site IPsec configured steals other routed IPsec traffic
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2