IPsec Site-to-Site - no access from OPNsense service

Started by Tubs, May 03, 2020, 11:15:00 AM

Previous topic - Next topic
Hello,

I assume I have a routing or firewall issue on OPNsense side, but I am running out of ideas where to search.

Under OPNsense I have set-up a site-to-site VPN with IPsec. On OPNsense side it is connected to the DMZ interface and its network. On remote site it is connected to a single host and the routed network.

DMZ (192.168.10.0/24) --> IPSec ------------> libreswan --> centos host (10.10.1.1/24)

What is not working is a connection from service on OPNsense to the remote host. To be precise I cannot reach the remote host by the plugin RFC2136 to do DNS updates via port 53/udp.

Firewall allows all from DMZ network to routed network. Connection between devices in DMZ network and remote host are working. Out of DMZ network I can reach my target port. So all fine on remote side.

Hi,

have you run a tcpdump in the remote machine and in both IPSEC peers to check if those dns updates are being encapsulated / allowed?

Thanks's for help.

How to use tcpdump in a way to be helpful I do not know.

But my problem is solved. it is working now. I did nor really changes something, at least not on purpose. But after rebooting both machines it is working as expected. No idea what was wrong.

I will observe if this now is running stable.

OPNsense will use it's WAN IP when it tries to reach an IP inside the tunnel.
Two options, you will let the service know that it has to open connections with LAN IP (when daemon supports it), or you add a second SA to the tunnel with left network your WAN IP/32

Thank you.
This now will help to search or setup in the right direction.