Routing between 2 site vpn networks (Zyxel nebula and tinc vpn) over VTI tunnel.

Started by JonasBesbrugge, June 27, 2023, 04:45:31 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 27, 2023, 04:45:31 PM
Hi all,

I try to make vpn connection to connect 2 vpn site networks.

1 is zyxel-nebebula (192.168.225.0/24; 192.168.195.0/24)
1 is Tinc vpn on opnsense. (192.168.224.0/24; 192.168.223.0/24)
   

Between the 2 I have set up an VTI-ipsec tunnel and I can route traffic to both ends of this tunnel. 192.168.224.0/24 <---> 192.168.225.0/24
Form te Nebula sitewide network can access the GW/FW. I created policy based routes.
192.168.195.0/24  192.168.224.0/24
What does not work jet is,  that  I can't acces my zyxel GW/FW the form tinc vnp network.
192.168.223.0/24 <---> 192.168.225.0/24

My plan on the 224.254 GW/FW was to  :

       
  • assing interface on tinc (Dynamic gateway policy y/n ?)
  • create a gateway
  • setup the policy based route form 223 to 225 networks
I add the far site (225) network on the tinc host subnet.

Is this idea correct? Or am i missing someting?
See my schema for more context.

kind regards
June 27, 2023, 08:24:34 PM #1
I dont understand your picture, sorry.

But i think policy based and VTI is not correct.

If you want to connect the 2 networks then it can be policy based and you have to setup the mode to "tunnel" in phase 2.

If you want to route over the networks (reach another network behind) you have to set the mode "route based" and then you have a VTI (Virtual Tunnel Interface) only for the ipsec. Then you also have to add a gateway and set routes on both sides. And make sure you have unchecked policy based in phase 1.
June 27, 2023, 09:36:11 PM #2
exactly this, you are talking 2 different types of VPNs.   VTI would be required on both sides and then a return route added on both sides or use dynamic routing w/BGP or OSPF.

If policy based then you need to set the policies on both sides so that the correct traffic gets tunneled.

Quote from: userbenutzer on June 27, 2023, 08:24:34 PM
I dont understand your picture, sorry.

But i think policy based and VTI is not correct.

If you want to connect the 2 networks then it can be policy based and you have to setup the mode to "tunnel" in phase 2.

If you want to route over the networks (reach another network behind) you have to set the mode "route based" and then you have a VTI (Virtual Tunnel Interface) only for the ipsec. Then you also have to add a gateway and set routes on both sides. And make sure you have unchecked policy based in phase 1.
Print
Go Up Pages1
User actions