IPsec vpn with ptp

Started by tbk49, Today at 04:48:21 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 04:48:21 PM
I want to run a ptp protocol over my IPsec connection. So supposing I have a configuration that looks like this:

- a loopback device with a private /32 ip used for the local ipsec ip
- a policy under children with local and remote pointing to that private ip's network (x.x.x.0/30)
- then add a GRE device and enter the loopback ip under the local address field and the remote ipsec ip of the peer under remote address, with tunnel local and tunnel remote as e.g. y.y.y.1 and y.y.y.2 on another private /30 network

Is that all I need to run gre over the ipsec tunnel?
Today at 05:32:03 PM #1
Yeah running GRE over Ipsec with loopback interfaces works. Its mostly the same as e.g., running vxlan over ipsec (minus the bridge)

https://docs.opnsense.org/manual/how-tos/vxlan_bridge.html
Hardware:
DEC740
Today at 05:47:20 PM #2
Quote from: Monviech (Cedrik) on Today at 05:32:03 PMYeah running GRE over Ipsec with loopback interfaces works. Its mostly the same as e.g., running vxlan over ipsec (minus the bridge)

https://docs.opnsense.org/manual/how-tos/vxlan_bridge.html

VXLAN might be something that comes later, but for now, my test case is very simple. Just IPsec and test gre.

I'm noticing an unusual behaviour where my peer device's gre tunnel is inactive unless I ping it from the opnsense side. This is causing trouble for devices on the peer's lan when trying to contact the lan on the opnsense such as sending traffic out the default gw on the peer because the static route for the opnsense lan is set as the gre interface for gateway.

Is this because I have misconfigured the ipsec tunnel to only "turn on" the ipsec channel when the opnsense firewall has something it wants to send across it, rather than bidirectional/always-on between the two peers?
Today at 05:55:28 PM #3
Try if the loopback interfaces can always ping each other through the tunnel.

If thats the case, its not IPsec.

Some ping initiating something either sounds like the tunnel (a tunnel since its two, to be more precise) is not up, a firewall state is missing, or traffic is misrouted.

What exactly it is is very hard to diagnose exactly, I can just offer directions.
Hardware:
DEC740
Today at 07:23:40 PM #4 Last Edit: Today at 07:40:29 PM by tbk49
Quote from: Monviech (Cedrik) on Today at 05:55:28 PMTry if the loopback interfaces can always ping each other through the tunnel.

If thats the case, its not IPsec.

Some ping initiating something either sounds like the tunnel (a tunnel since its two, to be more precise) is not up, a firewall state is missing, or traffic is misrouted.

The loopbacks can ping each other so long as the IPsec tunnel is established because it is the IPs of the loopback of each device that is used as the IPsec endpoint for each side.

Does anything need to be NAT'ed? The peer is requesting NAT-T and I am not pushing any subnets to it from the firewall, except a DNS address. I was intending to just add a static route to each side so the relevant subnets could contact each other via each side's GRE tunnel.

Also, does it matter that each peer isn't using the same VLANs for their LAN-side networks or is this irrelevant?
Print
Go Up Pages1
User actions