IPSec between OPNSense and EdgeRouter Infinity, no traffic from OPNSense side

[ermitgilsukaru]

Hi.

My company has servers at two colocation datacenters. We used to have EdgeRouter Infinities at both sites connected with VTI IPSec but I recently changed out one of the EdgeRouters with an OPNSense instance. I tried setting up an VTI IPSec connection between the still running EdgeRouter and the new OPNSense instance, but I haven't been able to get it usable.

The problem seems to the that the OPNSense gets traffic through the tunnel but doesn't send it to the ipsecN interface (and likewise, traffic from the inside network that should be routed to the other end of the IPSec tunnel doesn't enter the ipsecN interface).

The tunnel is up according to the VPN > IPSec > Status Overview page and I can see traffic arriving on the enc0 interface with tcpdump. However, tcpdump on the ipsec10 interface doesn't show any traffic.

I followed the guide at https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn-route.html to set up a new-style connection instead of the "legacy" style.

My home router is also an OPNSense instance and I've set up what I thought was an identical tunnel there without problems. Tcpdump show traffic on both the enc0 and ipsecN.

I'm not sure how to troubleshoot this; I've gone through the guide a few times to see if I can find any disrepancy, but I'm not an advanced enough user of OPNSense to know what to do next.

Any hints?

[Monviech (Cedrik)]

Hello,

have you read this thread? Maybe you have a problem with the reqid not matching or something. I've posted a detailed test configuration there.

https://forum.opnsense.org/index.php?topic=36254.0

[ermitgilsukaru]

Hi Monviech and thanks for answering.

I have reqid=10 in the following two places:

VPN > IPSec > Virtual Tunnel interfaces > [the interface in question]

VPN > IPSec > Connections > [edit tunnel] > Children

Are there any more places I'm missing?

This is the only tunnel defined on this particular OPNSense instance.

I'm reading through the thread you linked now, will probably take me some time to parse the relevant info from it.

[netnut]

The problem seems to the that the OPNSense gets traffic through the tunnel but doesn't send it to the ipsecN interface (and likewise, traffic from the inside network that should be routed to the other end of the IPSec tunnel doesn't enter the ipsecN interface).

The tunnel is up according to the VPN > IPSec > Status Overview page and I can see traffic arriving on the enc0 interface with tcpdump. However, tcpdump on the ipsec10 interface doesn't show any traffic.

https://docs.opnsense.org/manual/vpnet.html#route-based-vti

I followed the guide at https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn-route.html to set up a new-style connection instead of the "legacy" style.

Any hints?

Did you set static routes for the relevant networks ?

[ermitgilsukaru]

Hi netnut.

Did you set static routes for the relevant networks ?

Yes, but aside from that, traffic destined for the other end of the VTI point-to-point subnet doesn't enter the ipsecN interface. That is, if I try to ping the EdgeRouter from the OPNSense I can't see the traffic on the encryption interfaces, neither enc0 nor ipsecN (pinging the other direction shows traffic arriving on the enc0 interface on the OPNSense but not reaching the ipsecN interface)

[netnut]

You're using the "new-style" IPsec config, did you _uncheck_ the "Policies" flag at the child (Phase 2) config ?