OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 16.7 Legacy Series »
  • outbound IPsec/L2TP from LAN, passing through opnsense, not possible?
« previous next »
  • Print
Pages: [1]

Author Topic: outbound IPsec/L2TP from LAN, passing through opnsense, not possible?  (Read 4260 times)

maweber

  • Newbie
  • *
  • Posts: 19
  • Karma: 0
    • View Profile
outbound IPsec/L2TP from LAN, passing through opnsense, not possible?
« on: July 30, 2016, 09:33:02 pm »
Hi all
I'm struggling to connect from a Mac inside the LAN to an internet IPsec/L2TP server (brand Zyxel).

I tested it successfully without the opnsense router in between (different net, different router).
I unsuccessfully tried without the automatic outbound NAT rules.
It seems the attempt doesn't write anything to the Firewall log.

We got a gateway failover installed.
DNS resolves right.

Any hints?

Thank you very much for your help!
best
Manu
Logged

Julien

  • Hero Member
  • *****
  • Posts: 651
  • Karma: 32
    • View Profile
Re: outbound IPsec/L2TP from LAN, passing through opnsense, not possible?
« Reply #1 on: July 31, 2016, 02:36:02 pm »
please provide more information.
is your ISP router on bridge mode or not ?
firewall rules ?
Logged
An intelligent man is sometimes forced to be drunk to spend time with his fool.

maweber

  • Newbie
  • *
  • Posts: 19
  • Karma: 0
    • View Profile
Re: outbound IPsec/L2TP from LAN, passing through opnsense, not possible?
« Reply #2 on: July 31, 2016, 09:50:31 pm »
Quote from: Julien on July 31, 2016, 02:36:02 pm
please provide more information.
is your ISP router on bridge mode or not ?
firewall rules ?

Connection: It's a biz fiber router with a static global subnet on opnsense WAN. I guess no special mechanics involved: bridged.

Firewall:
There are lots of rules, I think better I would know what to look for.
Do you know what Ports are involved in L2TP/IPsec? I dont understand the multiphase concept enough, sorry.

I thought since there are no blocked entries, it must have been by design (blocket IPsec passthrough because of opnsense's own IPsec ability, or so)

thanks
m
Logged

bartjsmit

  • Hero Member
  • *****
  • Posts: 1538
  • Karma: 166
    • View Profile
Re: outbound IPsec/L2TP from LAN, passing through opnsense, not possible?
« Reply #3 on: July 31, 2016, 10:40:05 pm »
These are the standard IPSec/L2TP firewall rules:

Protocol: UDP, port 500 (for IKEv1/v2)
Protocol: UDP, port 4500 (for IKEv1/v2)
Protocol: UDP, port 1701 (for L2TP)

You shouldn't need the IPsec rules, since they're wrapped in L2TP, but they are:

Protocol: ESP, value 50 (for IPsec)
Protocol: AH, value 51 (for IPsec)

Bart...
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 16.7 Legacy Series »
  • outbound IPsec/L2TP from LAN, passing through opnsense, not possible?
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2