[SOLVED] Multi-WAN Broke IPSec VPN

[Adam.P]

I have a customer with 3 locations. Everything was initially setup with OPNsense 17 with IPSec VPN setup between all three locations. Everything worked perfectly. A second WAN was added to one location. Since then I can only communicate with devices one way - devices in the other two offices can ping everything in every location. If I am in the office with 2 WAN connections, traffic will not route through the VPN. I can only communicate with devices on that local network.

I read in release notes that there were some routing fixes, so i've performed all updates to 18.7.10 and still am having the same problem. Anyone have any ideas?

[Adam.P]

Anyone?

[Adam.P]

Am I posting this in the wrong place or not including enough information?

[mimugmail]

You should really post some screenshots of Gateways, Tiering and Rules. Also outbound Nat. And dont forget to set a static route for Ipsec remote IP

[Adam.P]

You should really post some screenshots of Gateways, Tiering and Rules. Also outbound Nat. And dont forget to set a static route for Ipsec remote IP

Thank you for the response.

Here are some screenshots: https://imgur.com/a/4ZKeRug

It's a pretty basic setup. I setup a single LAN/WAN, followed this article to setup the VPN:
https://wiki.opnsense.org/manual/how-tos/ipsec-s2s.html

Then followed this article to setup multi-wan:
https://wiki.opnsense.org/manual/how-tos/multiwan.html

Please let me know if I can provide anything else.

Thank you!

[Adam.P]

And dont forget to set a static route for Ipsec remote IP

How do I create this static route? IPSec isn't an option when creating a route.

I already have these routes in the routing table which were automatically created by ipsec:
ipv4   10.128.120.0/24   173.8.42.14   US   97   1500   em1   WAN   
ipv4   10.128.121.0/24   173.8.42.14   US   5   1500   em1   WAN

I don't think they're being followed though. I tried running trace route and it just reaches max hops and stops.

[mimugmail]

For Ipsec network you have to create an Accept Rule without Gateway above your routing rules

[Adam.P]

For Ipsec network you have to create an Accept Rule without Gateway above your routing rules

You're referring to this rule, right?
https://imgur.com/a/YSSxs3j

[mimugmail]

No, for Multi WAN you set in LAN rules tab like in the official docs

[Adam.P]

No, for Multi WAN you set in LAN rules tab like in the official docs

Are the wiki's I linked above not official? I didn't see any mention of this in those documents... Can you link me to said document?

I tried creating this rule and it did not appear to help:
https://imgur.com/a/22WSwvt

"Remote_Networks" is an alias to 10.128.120/24 and 10.128.121/24

[mimugmail]

Please post screenshots of LAN rules tab

[Adam.P]

Please post screenshots of LAN rules tab

That's exactly what the above screenshot is. I'll post the URL again: https://imgur.com/a/22WSwvt

Thank you!

[mimugmail]

Local DNS rule should be at the top, rest is fine

[Adam.P]

Local DNS rule should be at the top, rest is fine

I went ahead and moved it to directly below the anti-lockout rule. Thanks for that!

I just did some more testing after doing a states reset and found that I can communicate with the 10.128.121.0/24 network but still cannot communicate with the 10.128.120.0/24 network.

I'm not sure when that started working. Honestly, I've been doing most of my testing with the 120 network and assumed 121 also wouldn't work still.

I'm confused now. How would one work but not the other?

[mimugmail]

Ipsec problem? You can do a packet capture on enc inteface and check if packets are leaving correctly. Also check ipsec logs