Site2Site VPN with multiple Subnets on both sides

[ivoruetsche]

Hi members

Because we are no longer happy with the license politic from Cisco, we want to exchange all the ASA's with an alternative solution. At the moment, we evaluate also OPNsense. It very different than ASA, but it's nice, the frontend is fast and intuitive

But at the moment i stuck on this problem:
An side A we have around 25 subnets and VLAN's, on the side B around 5. No all of the subnets have to go through the tunnel, but the most of them.

I go through the steps on https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html, but i don't have any chance to setup more than one LAN-IP on the local and destination side.

Maybe it works with a group of interfaces for the local side, but not so for the destination. If i have to setup all as a combination with each other, i have to setup a lot of them.

What is the correct way to put this all in one phase 2 rule? There is an option "Mode":"Transport", but i can't find any documentation about, maybe this is the solutions?

gruss ivo

[franco]

Hi ivo,

I thought I replied to a similar thread. You simply create multiple phase 2 entries for your phase 1 for all subnet combinations.

Right now this creates a leftsubnet=firstsub,secondsub,... and rightsubnet=firstrsub,secondrsub,... tunnel configuration.

Some devices are incompatible with these meshed configurations so then each phase 2 needs a separate tunnel. We do not have this in OPNsense as of 16.7.4, but the development version supports it and I plan to bring it to 16.7.5 next week.


Cheers,
Franco