Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Routed IPSEC - routing internet activity from one site to another

    IPsec
    2
    15
    432
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gabacho4 Rebel Alliance last edited by

      I'm currently using an openvpn server and client connection (not openvpn site to site) to connect two locations to each other. Have just upgraded to 2.4.4 and really like the power of the new routed IPSEC option. What I cannot figure out is how I would take advantage of this feature to replace the openvpn setup I'm currently using. IPSEC affords me greater speed and better performance so I'd really like to use it versus openvpn (though I'll keep openvpn as a fallback). I haven't been able to find any articles on how to accomplish what I'm trying to do. Does anyone here have experience and/or know how I can make this work?

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        How are you doing it now with OpenVPN? It's likely very similar.

        The assigned IPsec interface gets you a gateway. You can use that gateway to policy route things. Match the local traffic with a rule (e.g. on LAN) that uses the IPsec gateway, then the user traffic will leave that interface. You'll either need outbound NAT to mask the source of traffic as the IPsec interface address or you can do NAT on the far side so long as it has a route back to the client subnet back over IPsec.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • G
          gabacho4 Rebel Alliance last edited by

          @jimp thanks for the response. So the openvpn connection is essentially just what you noted. I have the openvpn interface and gateway created. Rules on the openvpn tab that specify what source and destination subnet combinations to route, and NAT on the opposite end that allow me traffic out to the world. I then set the gateway for the LAN or a VLAN network to use the openvpn gateway. All works great.

          From what you are saying then, I should just employ the exact same setup? Same or similar rules on the IPSEC tab, select the IPSEC gateway for my local LAN, and NAT for the IPSEC subnet on the opposite end so that the traffic can reach the world?

          Apologize in advance is some of this is trivial. I am 100% self taught. While I'm mentally able to visualize a lot of this, I hit a wall from time to time.

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            You wouldn't set rules on the OpenVPN (or IPsec) tab for traffic leaving your local network going to the far side. Those are probably unnecessary. Just outbound NAT and gateway on the LAN should do it.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • G
              gabacho4 Rebel Alliance last edited by

              OK, I'll give that a try and see if something complains. Thanks for the sanity check.

              1 Reply Last reply Reply Quote 0
              • G
                gabacho4 Rebel Alliance last edited by

                @jimp sorry to reappear but I've had no success tonight. I straight up cannot get the routed ipsec to actually route. Here's what I've got :

                1.successful p1 and p2 connection between both locations. Ipsec status shows connected with IPs I've chosen for this connection. They do not overlap with local or remote subnet ip ranges.
                2.created the interface
                3. Have a "from any to any" ipsec rule with the vti interface gateway selected as the gateway.
                4.have outbound NAT for the local lan subnet with vti interface as outbound interface. - - I'm not supposed to use the p2 ip subnet right?
                5.for testing purposes I set a lan rule for my laptop to use vti interface gateway.
                6. Enable the rule and my connection dies. Cannot browse internet. Cannot get to remote subnets. Can only intact with local devices and gui.

                I use the ping tool to ping the opposite side using the vti interface as the origin and all packets are lost. Send to me like I've just plain got no route. At this point I've replicated everything I do for openvpn minus the CA and certs.

                Is there anything in the outline I've provided that doesn't look right? I'm beyond confused at this point.

                1 Reply Last reply Reply Quote 0
                • jimp
                  jimp Rebel Alliance Developer Netgate last edited by

                  #3 is wrong. You don't put a gateway on the IPsec tab rules. Make sure that isn't set on either side.

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • G
                    gabacho4 Rebel Alliance last edited by

                    @jimp continue to battle with this thing. One question I have comes from the online documentation where it says:

                    Though a tab appears for the assigned interface, traffic must be passed on the IPsec tab.

                    I only have the ipsec tab on both my boxes. No interface. This is unlike openvpn where I have the OpenVPN tab and one for my Expressvpn interface. Is this right? Online documentation suggests configuration to the interface tab but without it that's not possible.

                    jimp 1 Reply Last reply Reply Quote 0
                    • jimp
                      jimp Rebel Alliance Developer Netgate @gabacho4 last edited by

                      @ngoehring123 said in Routed IPSEC - routing internet activity from one site to another:

                      @jimp continue to battle with this thing. One question I have comes from the online documentation where it says:

                      Though a tab appears for the assigned interface, traffic must be passed on the IPsec tab.

                      I only have the ipsec tab on both my boxes. No interface. This is unlike openvpn where I have the OpenVPN tab and one for my Expressvpn interface. Is this right? Online documentation suggests configuration to the interface tab but without it that's not possible.

                      The rules on the assigned IPsec interface tab had no effect, so we hid the tab to be less confusing. The doc you read was probably before that change was made.

                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • G
                        gabacho4 Rebel Alliance last edited by

                        @jimp phew, I was banging my head trying to figure out what box I hadn't checked. So based on your expertise, if I purely just wanted to be able to connect to the remote network and devices, not push any non internal network traffic across it (i.e. internet), I would create the connection using a subnet not part of the existing network, create the interface, set the ipsec tab firewall rule (all/all), then apply the gateway to an ip or subnet on my lan or vlan interfaces and that should have me routing? I don't need to do anything like the tunneled ipsec connection p2s, in which I define the routes? This has worked so easily for openvpn and the traditional tunnel ipsec setup I've done. I just can't see what's not right given how very similar it is to openvpn connection.

                        1 Reply Last reply Reply Quote 0
                        • G
                          gabacho4 Rebel Alliance last edited by

                          @jimp I'm happy to post screenshots if that helps. Didn't want to overstep any bounds. Am extremely thankful for your thoughts and don't want to appear to be trying to take advantage of you.

                          1 Reply Last reply Reply Quote 0
                          • jimp
                            jimp Rebel Alliance Developer Netgate last edited by

                            I don't have a setup for it right now but during my initial testing one of the things I tried was routing Internet traffic across VTI and it worked. If I recall correctly what I did was:

                            • Setup a basic VTI connection between two systems (P1 between the peers, P2 set to VTI with an unused subnet)
                            • Assign the interface
                            • Set a rule on LAN matching client traffic to use the VTI gateway

                            The parts I can't remember if I did in this case are:

                            • Outbound NAT -- might be done on the client firewall side, or might be done on the firewall where the Internet traffic exits
                            • Static routes on each side so the LANs can reach each other -- this way each router knows how to get back to the other LAN

                            If you do the outbound NAT on the remote side where the Internet traffic will exit, then that end definitely needs a static route to get back to the client side LAN.

                            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • G
                              gabacho4 Rebel Alliance last edited by

                              @jimp watching your hangout right now. I'm up to the part where you made a static route and I think this is what I'm missing. Will know one I finish watching and give it a go on my own setup. Once I can get the two networks talking, then I'll try passing the internet traffic. I'll let you know how it goes. Many thanks for your assistance and the hangout!

                              1 Reply Last reply Reply Quote 0
                              • G
                                gabacho4 Rebel Alliance last edited by

                                @jimp I've finished the hangout and finally routing working. I feel like an idiot for not finding the hangout first. One final question, can I do static routes for multiple subnets on the remote end via the same vti or do I need a separate one for each subnet?

                                1 Reply Last reply Reply Quote 0
                                • jimp
                                  jimp Rebel Alliance Developer Netgate last edited by

                                  It's all routed, you can setup as many static routes as you want or even using a routing protocol like OSPF or BGP. No need to specify the networks to carry in IPsec at all.

                                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                  Need help fast? Netgate Global Support!

                                  Do not Chat/PM for help!

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post