VXLAN setup with IPsec same IP subnet

Started by vgsinno, April 10, 2024, 11:14:10 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 10, 2024, 11:14:10 AM Last Edit: April 10, 2024, 11:24:50 AM by vgsinno
Hi all,

I try to build a VPN tunnel with IPsec and VxLAN between 2 locations and bridge same IP subnet on both side.
At first i build a configuration like below and it worked just fine.

[PC 192.168.1.2]<->[192.168.1.1/24 Bridge OPT1+VxLAN][OPNsense A][OPT2 10.1.0.2/16]<->{ ipsec tunnel}-INTERNET-{ipsec tunnel}-[10.2.0.2/16 OPT2][OPNsense B][192.168.2.1/24 Bridge OPT1+VxLAN]<->[PC 192.168.2.2]

then I followed this instruction "Reply #4": https://forum.opnsense.org/index.php?topic=37182.msg182040#msg182040

[PC 192.168.1.3]<->[192.168.1.1/24 Bridge OPT1+VxLAN][OPNsense A][OPT2 10.1.0.2/16]<->{ ipsec tunnel}-INTERNET-{ipsec tunnel}-[10.2.0.2/16 OPT2][OPNsense B][192.168.1.2/24 Bridge OPT1+VxLAN]<->[PC 192.168.1.4]

it didn't worked

VxLAN edited like this on A:
Source address: 10.1.0.2
Remote address: 10.2.0.2

Hypervisor: Proxmox

Now I have few questions

1.
or doesn't matter?

2.Does the OPNsense support such configuration, if yes, where is the mistake or where did i forgot something?

Thanks :)
April 29, 2024, 05:02:56 PM #1
I have the same problem.

Opnsense support this configuration ?


Thanks
April 29, 2024, 05:25:52 PM #2 Last Edit: April 29, 2024, 05:28:14 PM by Monviech
Yeah you can do it easily with ipsec and a small trick.

- Create loopback interfaces on both sides.
- Create a policy based IPsec tunnel between the loopback interfaces.
- Create the vxlan interfaces and make them use the loopback interfaces to connect with each other over the ipsec tunnel.
- Adjust the MTU and MSS because vxlan and ipsec create protocol overhead.
-Bridge the vxlan interfaces and the LAN interfaces, use that bridge assigned to an interface. The tutorial how to create a transparent filtering bridge helps here.

With a aetup like that I have connected opnsenses with vxlan, but also created raspberry pis that bridged the lan of the main OPNsense directly out of their ports. So its all doable with some effort and tests. :)
Hardware:
DEC740
May 06, 2024, 03:50:20 PM #3

Finally !!!

thank you so much it worked ;D
May 08, 2024, 07:03:47 PM #4
Hi, Monviech,
you pointed out something interesting that I'd like to investigate. The raspberry pis bridged with opnsense.
Thank you for rising this up.
May 08, 2024, 07:08:40 PM #5
I have used CM4 with Waveshare 2 port boards. That worked really well, really good performance too, I think I got around 600mbit/s.
Hardware:
DEC740
May 08, 2024, 07:39:03 PM #6
Did you use Opnsense for RPi4 or some other router as OpenWRT ?
May 08, 2024, 07:41:20 PM #7
No I just used Ubuntu.
Hardware:
DEC740
May 08, 2024, 07:44:24 PM #8
Excellent, thank you and cheers...
Print
Go Up Pages1
User actions