OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 23.1 Legacy Series »
  • Routing between 2 site vpn networks (Zyxel nebula and tinc vpn) over VTI tunnel.
« previous next »
  • Print
Pages: [1]

Author Topic: Routing between 2 site vpn networks (Zyxel nebula and tinc vpn) over VTI tunnel.  (Read 1115 times)

JonasBesbrugge

  • Newbie
  • *
  • Posts: 7
  • Karma: 1
    • View Profile
Routing between 2 site vpn networks (Zyxel nebula and tinc vpn) over VTI tunnel.
« on: June 27, 2023, 04:45:31 pm »
Hi all,

I try to make vpn connection to connect 2 vpn site networks.

1 is zyxel-nebebula (192.168.225.0/24; 192.168.195.0/24)
1 is Tinc vpn on opnsense. (192.168.224.0/24; 192.168.223.0/24)
   

Between the 2 I have set up an VTI-ipsec tunnel and I can route traffic to both ends of this tunnel. 192.168.224.0/24 <---> 192.168.225.0/24
Form te Nebula sitewide network can access the GW/FW. I created policy based routes.
192.168.195.0/24  192.168.224.0/24
What does not work jet is,  that  I can't acces my zyxel GW/FW the form tinc vnp network.
192.168.223.0/24 <---> 192.168.225.0/24

My plan on the 224.254 GW/FW was to  :
  • assing interface on tinc (Dynamic gateway policy y/n ?)
  • create a gateway
  • setup the policy based route form 223 to 225 networks
I add the far site (225) network on the tinc host subnet.

Is this idea correct? Or am i missing someting?
See my schema for more context.

kind regards
Logged

userbenutzer

  • Newbie
  • *
  • Posts: 18
  • Karma: 0
    • View Profile
Re: Routing between 2 site vpn networks (Zyxel nebula and tinc vpn) over VTI tunnel.
« Reply #1 on: June 27, 2023, 08:24:34 pm »
I dont understand your picture, sorry.

But i think policy based and VTI is not correct.

If you want to connect the 2 networks then it can be policy based and you have to setup the mode to "tunnel" in phase 2.

If you want to route over the networks (reach another network behind) you have to set the mode "route based" and then you have a VTI (Virtual Tunnel Interface) only for the ipsec. Then you also have to add a gateway and set routes on both sides. And make sure you have unchecked policy based in phase 1.
Logged

danderson

  • Full Member
  • ***
  • Posts: 107
  • Karma: 9
    • View Profile
Re: Routing between 2 site vpn networks (Zyxel nebula and tinc vpn) over VTI tunnel.
« Reply #2 on: June 27, 2023, 09:36:11 pm »
exactly this, you are talking 2 different types of VPNs.   VTI would be required on both sides and then a return route added on both sides or use dynamic routing w/BGP or OSPF.

If policy based then you need to set the policies on both sides so that the correct traffic gets tunneled.

Quote from: userbenutzer on June 27, 2023, 08:24:34 pm
I dont understand your picture, sorry.

But i think policy based and VTI is not correct.

If you want to connect the 2 networks then it can be policy based and you have to setup the mode to "tunnel" in phase 2.

If you want to route over the networks (reach another network behind) you have to set the mode "route based" and then you have a VTI (Virtual Tunnel Interface) only for the ipsec. Then you also have to add a gateway and set routes on both sides. And make sure you have unchecked policy based in phase 1.
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 23.1 Legacy Series »
  • Routing between 2 site vpn networks (Zyxel nebula and tinc vpn) over VTI tunnel.
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2