Static Routing with Routed vpn

[opnsense@dkeith.com]

OPNsense 23.7.8_1-amd64
FreeBSD 13.2-RELEASE-p5
OpenSSL 1.1.1w 11 Sep 2023

Having an issue with routing over routed ipsec site-to-site vpn.

Site A Opnsense                                                          Site B (other firewall)
10.1.99.0/24------[10.1.1.1 vpn-A tunnel 10.1.1.2]---- 192.168.0.0/16
                           [10.1.2.1 vpn-B tunnel 10.1.2.2]---- 192.168.0.0/16

Tunnels are up and I can ping the tunnel ips of site B
Im trying to configured failover from primary vpn-A to backup vpn-B using static routes.

System/Gateway/Single detects the vpn-tunnels are up or down.
I have configured System/routes have 2 entry's for 192.168.0.0/16
1. Pointing to tunnel ip vpn-a
2. Pointing to tunnel ip vpn-b

When checking System/Routes/Status only vpn-b appears to be listed even if system/gateway/single shows this gateway to be down.

Im expecting the Priority and Status to be taken into consideration when the system makes routing decisions.
Can have more than one static route to the same destination?
Have I got this wrong?
Whatever route was configured last appears to win
System/Routes/configuration do not appear to be able to use Gateway Groups.

I can route via firewall rules with gateway pointing to the Gateway groups but If opnsenese is hosting internal dns how do I route the responses back to site B correctly ? Im assuming it would be using the system routing table?

Any pointers welcome
Thanks

         

[doktornotor]

Code Select Expand



Site B (other firewall)
---- 192.168.0.0/16
---- 192.168.0.0/16


Yeah, having ridiculous and identical (no more  RFC1918 space left in that reserved range) /16 on two different routed tunnels won't exactly work. You can either fix the "other sites" madness, or double NAT.  ::)

[opnsense@dkeith.com]

Have updated Site B madness.

(_______Site A Opnsense_________)                      (________Site B other firewall___________)
10.1.99.0/24LAN---198.51.100.5WAN---INTERNET---198.51.100.15WAN A---192.168.66.0/24LAN
                                                                         ---198.51.100.25WAN B---192.168.66.0/24LAN
                            [_________10.1.1.1 vpn-A tunnel 10.1.1.2_________]
                            [_________10.1.2.1 vpn-B tunnel 10.1.2.2_________]

Site B has two independent wan connections. so I have run a vpn tunnel to each at site B.
Can we not have 2 static routes with preference to VPN-A when it is up, then fullback to VPN-B?
In cisco world I believe this to be a floating static route at configured at site A

[xavx]

Your setup should work with siteB having a /16 or /24 (NAT has nothing to do here and there is no madness) if you have the redundant static routes set for each tunnel at both sites. At least on cisco and juniper, it would work.
Don't know if there is something fishy with bsd handling for 2 static routes with the same destination prefix.
If the static routes don't work, you might try the frr plugin and setting a routing protocol like ospf with redistribute connected. Ospf would only need to be enabled on the 2 tunnels.