Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
IPsec tunnel
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPsec tunnel (Read 754 times)
galymzhan
Newbie
Posts: 1
Karma: 0
IPsec tunnel
«
on:
October 23, 2023, 07:51:34 am »
Hello,
I'm currently working on setting up an IPsec tunnel between Opnsense and Cisco FTD, and I'm facing an issue. My goal is to pass multiple subnets through a single SPI on Cisco FTD, but it seems to have limitations in doing so.
I've configured separate IPsec tunnels for each subnet on Opnsense, each with a unique SPI. However, when trying to establish the connection, it appears that Cisco FTD doesn't handle multiple subnets through a single SPI.
Is there a workaround for this limitation? Should I create separate IPsec tunnels on the Cisco FTD side for each subnet, or is there a more efficient solution?
I appreciate any insights or guidance on resolving this issue.
Thank you!
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1601
Karma: 176
Re: IPsec tunnel
«
Reply #1 on:
October 23, 2023, 12:42:54 pm »
Can you explain your setup a bit more, maybe with a small network diagram?
In the OPNsense (which uses strongswan/charon with swanctl.conf), you can do
- 1 connection (Phase1) with multiple children (Phase2), each of them having 1 traffic selector in remote and local.
---- eg child1 local 172.16.0.0/24 remote 192.168.0.0/24
---- eg child2 local 172.16.0.0/24 remote 192.168.0.0/24
---- eg child3 local 10.0.0.0/24 remote 192.168.1.0/24
- 1 connection (Phase1) with all Traffic Selectors in a single child.
---- eg child1 local 172.16.0.0/24 10.0.0.0/24 remote 192.168.0.0/24 192.168.1.0/24
That are the most obvious choices. Some IPsec endpoints want the first choice, some the second.
There's also the choice to create an IPsec VTI tunnel and route the nets with a transport network through a Virtual Tunnel Interface.
Logged
Hardware:
DEC740
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
IPsec tunnel