OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Virtual private networks »
  • IPSec Hub and Spoke Topology
« previous next »
  • Print
Pages: [1]

Author Topic: IPSec Hub and Spoke Topology  (Read 591 times)

skacem

  • Newbie
  • *
  • Posts: 13
  • Karma: 0
    • View Profile
IPSec Hub and Spoke Topology
« on: June 23, 2024, 05:56:49 pm »
Hello

**********
we tried to configure the IPSec Hub To Spoke topology, with a Fortigate as Hub, and OPNsense as Spokes.
**********
the Hub contains a single Tunnel, so point to multipoint
we've configured the Tunnel interface IP as 10.1.1.1 and the peer IP as 10.1.1.254/24
Fortinet names the IP network of the Tunnel interfaces as Overlay, and recommends using the last network address not assigned to a Spoke like the Hub peer, but with the correct Overlay network mask.
**********
on the OPNsense Spokes side, we used Route-based IPsec (VTI)
Spoke1
Local Tunnel IP: 10.1.1.2
Remote Tunnel IP: 10.1.1.1
Spoke1
Local Tunnel IP: 10.1.1.3
Remote Tunnel IP : 10.1.1.1
**********
then, the 2 Tunnels connected normally
Spoke1 <--> Hub is Up Phase1 and Phase2
Spoke2 <--> Hub is Up Phase1 and Phase2
well-configured routing and rules
**********
Problem:
Spokes traffic (Spoke1 &Spoke2) --> Hub is OK
Hub traffic --> Spokes (Spoke1 &Spoke2) is NOT OK
**********
after a thorough diagnosis, the traffic (Spokes --> Hub) works because the Spokes know the IP address of the other end of the Tunnel, Spoke1 and Spoke2 know that IP 10.1.1.1 is their next hop
but for the Hub, after the Tunnels have been set up, it can't find out that the next-hop of the Tunnel with Spoke1 is 10.1.1.2 and that the next-hop of the Tunnel with Spoke2 is 10.1.1.3
**********
Fortinet requires the following command to be added to the Phase1 on both sides of the Tunnel for the Hub and Spokes
"set exchange-interface-ip enable"
Fortinet's definition of this command is
"The exchange-interface-ip option is enabled to allow the exchange of IPsec interface IP addresses. This allows a point to multipoint connection to the hub FortiGate."
**********
so as the Spokes don't send their IPSec Tunnel IP addresses, the Hub can't associate a next-hop for each Tunnel, and so the traffic (Hub --> Spokes) doesn't work.
**********
is there an equivalent command to "set exchange-interface-ip enable" on OPNsense so that the OPNsense Spoke sends its Tunnel IP Address to the fortigate Hub when the IPSec Tunnel is established?
**********

Thanks
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Virtual private networks »
  • IPSec Hub and Spoke Topology
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2