Hub and Spoke VPN

Started by Marvin, August 19, 2020, 09:56:56 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 19, 2020, 09:56:56 PM
Can OPNsense support Hub-and-Spoke VPN configuration?
August 19, 2020, 10:25:25 PM #1
Yes, absolutely.

Someone may even be able to tell you how if you provide more details  :)

Bart...
August 20, 2020, 02:10:16 AM #2
We are trying to replace an old system that has been doing this for years (but is no longer supported or update-able).

This system uses only one wan interface (vtnet0).  It runs 2 IPSec tunnels and routes traffic between them with NAT.  One tunnel connects to a customer that insists on their remote side to be 10.0.0.0/8 and the devices we connect to are very non-contiguous.  Obviously that 10.0.0.0/8 conflicts not only with our internal network structure but also conflicts with other customer VPN NATing we must do.

So our solution has been (for many years) to run a separate VPN device that only serves this customer.  One IPSec tunnel to that customer with their 10.0.0.0/8 and one IPSec tunnel to our main system configured as we need it to be.  Then the traffic is NATed, with both individual IP to individual IP subnet to subnet and passed between the tunnels.

I have attempted to replicate this setup with OPNsense.  I can get both IPSec tunnels to run.  But i cannot get traffic NAT properly and route to the other tunnel.  All ports are unchanged, only the IPs are mapped.  Here is a very simplified drawing:
IPSec to us                                NATing                                                      IPSec to them
(local)                                                                                                        (remote)
172.100.1.0/24      <===>    172.100.1.0/24 <-> 192.168.100.0/24 <===> 192.168.100.0/24
(remote)                                                                                                    (local)
172.200.10.32/28    <===>      172.200.10.34 <-> 10.1.30.17   <===>     10.0.0.0/8
                                                172.200.10.35 <-> 10.1.42.6
                                                172.200.10.36 <-> 10.8.98.16

Any help with this would be appreciated.  Let me know if additional data would be useful.
August 20, 2020, 07:42:10 AM #3
Did you follow the binat guide how to do Nat in IPsec with OPN?
Print
Go Up Pages1
User actions