Route Based IPsec Limitation

Started by geotek, January 22, 2020, 04:53:25 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 22, 2020, 04:53:25 PM
Scenario: Private LAN on Location A connected via OPNsense 19.7.9 to Internet. OPNsense has Route-Based IPsec tunnel to location B. Everything works as expected, except that the public IP of location B is now unreachable for hosts in private LAN of location A.

I assume that all traffic from LAN to the public IP of location B is erroneously sent via Tunnel Gateway through the tunnel instead of being Natted to the standard default route.

Is this behaviour a general design flaw of Route-Based IPsec on OPNsense or can it be solved somehow?

January 23, 2020, 09:44:47 AM #1
More info with network addresses please, it seems to me that info from the first paragraph conflicts with the second.


Cheers,
Franco
January 23, 2020, 10:51:26 PM #2
Take this as an example:

Location A (OPNsense)
  LAN: 192.168.10.0/24
  Public IP: 1.1.1.1
  VPNGW1: 2.2.2.2
  Static Route: 192.168.20.0/24 => VPNGW1

Location B (Juniper SRX)
  LAN: 192.168.20.0/24
  Public IP: 2.2.2.2

IPsec Tunnel between LAN A and LAN B works fine, also does NAT Traffic from LAN to Internet. So everything is fine, except that hosts on LAN A can't reach Public IP of Location B (2.2.2.2), neither ping nor any other port responds.

Since Juniper does Route based IPsec directly and does not have an OpenVPN-like transfer-Net I have to set VPNGW1 to the public IP of site B.



Print
Go Up Pages1
User actions