IPsec site-to-site: traffic only in one direction

Started by wurmloch, March 06, 2021, 09:04:26 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 06, 2021, 09:04:26 PM
Hi,

First of all, I must say that it is not my first IPsec config. But it's my first config with OPNsense.

Attached is the outline of my infrastructure. The configuration of the OPNsense A to C is the same, with the corresponding individual settings of IPs and remote subnets. The same applies to the firewall rules.

HOST A canot reach (ping, rdp) HOST C
HOST B canot reach (ping, rdp) HOST C
HOST C can reach (ping, rdp) HOST A
HOST C can reach (ping, rdp) HOST B

This is so strange, exasperating. I did not find any post / FAQ related to this behaviour, and I would really appreciate some hints / help!

Thank you,
Uwe
March 06, 2021, 10:11:24 PM #1
Is there a IPsec tunnel between all members (three tunnels) or is Net A routed through Net C to Net B (two tunnels)?

Sounds like you're missing some firewall rules on the ipsec group.
,,The S in IoT stands for Security!" :)
March 06, 2021, 10:45:28 PM #2
2 tunnels:
A to C
B to C
I doublechecked firewall logs, no blocked packages.
Ping C to A goes through the tunnel
Ping A to C goes to upstream gateway of wan A and lost.

Thanks for your question!
March 07, 2021, 03:15:10 PM #3
Hi,

here are the firewall rules of "HOST C", some are automagically created. I added manually:
- IPsec "Allow traffic to LAN net"
- WAN "Allow NAT-T to WAN" due to a block of NAT-T in the WAN firewall logs

Rules at HOST A and B are correspondingly identical.

Still at a loss
Uwe
March 10, 2021, 10:39:12 PM #4
No idea, nobody?  :'(
March 11, 2021, 07:24:45 PM #5
Quote from: wurmloch on March 07, 2021, 03:15:10 PM
here are the firewall rules of "HOST C", some are automagically created. I added manually:


Wow,

the last days IPsec on OPNsense C was disabled. I didn't want to keep it up while no time for testing.

Now, I switched it on again ... and all automatic generated IPsec related rules on the WAN interface are gone.

That's perfect, IPsec is what? Outdated, too complicated, nowhere in use? </sarcasm>
Sorry for that. I am not a software engineer. Therfore my contribution to this fine open source project is small.

March 23, 2021, 10:10:32 PM #6
OK, no solution.

I started from scratch and I chose the other path: https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html

It worked from the beginning. If you have problems with packets not going through the tunnel, just change your config to a routed IPSec Tunnel.

Just my 2 cents
Uwe
Print
Go Up Pages1
User actions