Routed IPSEC - routing internet activity from one site to another
-
@jimp sorry to reappear but I've had no success tonight. I straight up cannot get the routed ipsec to actually route. Here's what I've got :
1.successful p1 and p2 connection between both locations. Ipsec status shows connected with IPs I've chosen for this connection. They do not overlap with local or remote subnet ip ranges.
2.created the interface
3. Have a "from any to any" ipsec rule with the vti interface gateway selected as the gateway.
4.have outbound NAT for the local lan subnet with vti interface as outbound interface. - - I'm not supposed to use the p2 ip subnet right?
5.for testing purposes I set a lan rule for my laptop to use vti interface gateway.
6. Enable the rule and my connection dies. Cannot browse internet. Cannot get to remote subnets. Can only intact with local devices and gui.I use the ping tool to ping the opposite side using the vti interface as the origin and all packets are lost. Send to me like I've just plain got no route. At this point I've replicated everything I do for openvpn minus the CA and certs.
Is there anything in the outline I've provided that doesn't look right? I'm beyond confused at this point.
-
#3 is wrong. You don't put a gateway on the IPsec tab rules. Make sure that isn't set on either side.
-
@jimp continue to battle with this thing. One question I have comes from the online documentation where it says:
Though a tab appears for the assigned interface, traffic must be passed on the IPsec tab.
I only have the ipsec tab on both my boxes. No interface. This is unlike openvpn where I have the OpenVPN tab and one for my Expressvpn interface. Is this right? Online documentation suggests configuration to the interface tab but without it that's not possible.
-
@ngoehring123 said in Routed IPSEC - routing internet activity from one site to another:
@jimp continue to battle with this thing. One question I have comes from the online documentation where it says:
Though a tab appears for the assigned interface, traffic must be passed on the IPsec tab.
I only have the ipsec tab on both my boxes. No interface. This is unlike openvpn where I have the OpenVPN tab and one for my Expressvpn interface. Is this right? Online documentation suggests configuration to the interface tab but without it that's not possible.
The rules on the assigned IPsec interface tab had no effect, so we hid the tab to be less confusing. The doc you read was probably before that change was made.
-
@jimp phew, I was banging my head trying to figure out what box I hadn't checked. So based on your expertise, if I purely just wanted to be able to connect to the remote network and devices, not push any non internal network traffic across it (i.e. internet), I would create the connection using a subnet not part of the existing network, create the interface, set the ipsec tab firewall rule (all/all), then apply the gateway to an ip or subnet on my lan or vlan interfaces and that should have me routing? I don't need to do anything like the tunneled ipsec connection p2s, in which I define the routes? This has worked so easily for openvpn and the traditional tunnel ipsec setup I've done. I just can't see what's not right given how very similar it is to openvpn connection.
-
@jimp I'm happy to post screenshots if that helps. Didn't want to overstep any bounds. Am extremely thankful for your thoughts and don't want to appear to be trying to take advantage of you.
-
I don't have a setup for it right now but during my initial testing one of the things I tried was routing Internet traffic across VTI and it worked. If I recall correctly what I did was:
- Setup a basic VTI connection between two systems (P1 between the peers, P2 set to VTI with an unused subnet)
- Assign the interface
- Set a rule on LAN matching client traffic to use the VTI gateway
The parts I can't remember if I did in this case are:
- Outbound NAT -- might be done on the client firewall side, or might be done on the firewall where the Internet traffic exits
- Static routes on each side so the LANs can reach each other -- this way each router knows how to get back to the other LAN
If you do the outbound NAT on the remote side where the Internet traffic will exit, then that end definitely needs a static route to get back to the client side LAN.
-
@jimp watching your hangout right now. I'm up to the part where you made a static route and I think this is what I'm missing. Will know one I finish watching and give it a go on my own setup. Once I can get the two networks talking, then I'll try passing the internet traffic. I'll let you know how it goes. Many thanks for your assistance and the hangout!
-
@jimp I've finished the hangout and finally routing working. I feel like an idiot for not finding the hangout first. One final question, can I do static routes for multiple subnets on the remote end via the same vti or do I need a separate one for each subnet?
-
It's all routed, you can setup as many static routes as you want or even using a routing protocol like OSPF or BGP. No need to specify the networks to carry in IPsec at all.