Archive > 19.1 Legacy Series

IPSec site to site

(1/1)

bruci3:
Hi guys,

I have setup IPSec site to site and it is currently connected (established) but its things are not reachable.

SITE A
LAN
Cisco 3750 switch
Proxmox with VM Opnsense firewall/router (IPsec site to site tunnel)


SITE B
Debian shorewall firewall (strongswan ipsec site to site)
Cisco 3750 switch
LAN

So far, I can ping from any computer from Site A to Site B excluding the Opsnese firewall.

So if I ping from Opnsense firewall to Site B, I get a generated firewall log:

Interface Source  Destination Proto
WAN    SiteA Public IP     SiteB Local LAN IP  ICMP

Any ideas?

bruci3:
I am running TCPDump on my ipsec site to site interface.

If I ping from a computer in SiteA to SiteB it shows traffic for this successfully.

If I ping from my Firewall in SiteA to SiteB, nothing shows up in TCPdump for ipsec interface.

However, the firewall pings show up under the WAN interface instead which I think is the issue.

I assume this means that my Firewall pings to SiteB are not going through the Site to Site IPsec tunnel but exiting directly via WAN interface?

So how do I make the traffic from the firewall in SiteA to SiteB go through the IPSec site to site interface?

bruci3:
Ok I almost got this all working now.

Everything from SiteA can reach SiteB except for Firewall (from SiteA).

Everything from SiteB can reach SiteA no issues, even the firewall can reach SiteA firewall.

So only last issue is, the firewall on SiteA cannot reach anything on SiteB.

I suspect its some weird NAT issue or a firewall rule I am missing.

Please help?

bruci3:
I found this guide here, which seems to be related to my exact issue:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/accessing-firewall-services-over-ipsec-vpns.html

So I created the GW and route which now seems to push the traffic from my firewall correctly over the IPSec tunnel.

However its still not working, seems traffic from the Firewall never leaves SiteA.

The only thing that I notice that might be causing this issue is below:

If I ping from a PC in SiteA to SiteB, tcpdump shows this:
16:26:44.926095 (authentic,confidential): SPI 0xc39181b2: IP 192.168.1.30 > 172.16.7.20: ICMP echo request, id 1, seq 5767, length 40
16:26:44.966963 (authentic,confidential): SPI 0xcbda3874: IP 172.16.7.20 > 192.168.1.30: ICMP echo reply, id 1, seq 5767, length 40

If I ping from the firewall in SiteA to SiteB, tcpdump shows this instead:
16:26:36.071993 (authentic,confidential): SPI 0xc39181b2: IP FirewallName.Domain > 172.16.7.20: ICMP echo request, id 64118, seq 1, length 64

So no echo reply. But it does not show the source as my Firewalls IP, but rather the Hostname of my firewall. Could this be causing the issue? If so, how do change this to IP address instead?

bruci3:
I am convinced this is a bug of some sort.

I just setup a new site to site from Opnsense to an AWS site and everything can ping each other from both sides, but once again only thing not working is pinging from Opnsense firewall to anything in AWS site.

I cannot see any logical reason this fails.

Navigation

[0] Message Index