IPsec Site2Site VTI Setup for 23.1 - Improve doc

[Monviech]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [x] I have read the contributing guide lines at https://github.com/opnsense/docs/blob/master/CONTRIBUTING.md
• [x] I have searched the existing issues and I am convinced that mine is new.

Describe the issue

I have tried to replicate the setup here: https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn-route.html

Reason was this thread: https://forum.opnsense.org/index.php?topic=36254

I couldn't replicate a working setup easily with the docs. There seem to be a few missing configuration steps to make it easier.

( I have misread the IP addresses, so I edited this issue. I guess I was tired while reading the doc at first. I mixed up the transit network and the inner VTI tunnel IPs.)

Suggestions

As part of my trouble shooting I revised a working test setup, it's here: https://forum.opnsense.org/index.php?topic=36254.msg176819#msg176819

I would like to have a constructive conversation about it, compare it to the current documentation (maybe I also made mistakes somewhere or I understood something wrong) and then improve the current documentation with it's result.

Thank you :)

STATUS:

• [x] Collecting knowledge through extensive test setups and community feedback

https://forum.opnsense.org/index.php?topic=36254.0 https://forum.opnsense.org/index.php?topic=36376.0 https://forum.opnsense.org/index.php?topic=36319.0 https://forums.freebsd.org/threads/why-does-the-tunable-net-inet-ipsec-filtertunnel-change-the-pf-filter-nat-behavior-of-other-virtual-tunnel-interfaces-like-gre.90538/ https://forum.opnsense.org/index.php?topic=36381.0 https://forum.opnsense.org/index.php?topic=36456.0

• Traffic Selectors in VTI Child can be empty, since the SPD 0.0.0.0/0 is created by the VTI Device with reqid.
• Making reqid and child connection clearer
• Tunables change behavior of VTI, GRE etc... regarding packet filter and NAT
• Theres currently no way (multiple people tested it) to have enc0 and ipsec filtered and natted at the same time, even with tricks like GRE or VXLAN tunnels.
• Maybe it should be harder to totally lock yourself out by accidentally leaving "policies" in a child checked when creating a VTI tunnel.

PLAN:

• [ ] VTI IPsec tunnel with filter and SNAT
• [ ] GRE over IPsec Transport Mode with filter and SNAT
• [ ] Hunting down spots in the doc where "VTI can't match NAT"

[Monviech]

No I just was dumb, the setup in the doc is fine. I mean some points could be clearer but its generally working if you really concentrate on what you're doing. So I'm closing this issue. Sorry :)

[AdSchellevis]

@Monviech there's always room for improvements :) Tips are, as always, welcome

[Monviech]

@AdSchellevis Thanks for being open minded about it. I had the feeling I shot too fast this time. It was pretty hard for me to get it working, so maybe someone less familiar with the opnsense would have an even harder time. I'll think about it if I can improve this doc section if I have time. First I will write a community guide though and try to get feedback in the forum first. So I'm leaving this closed for now.

[Monviech]

@AdSchellevis I will work on improving the doc section about this. There are some unanswered questions. Talking with the user in the forum pointed to confusion about the reqid. It's only described in the VTI setup. But not that the same reqid has to be used in children.

Also I will add notes about SNAT into the VTI tunnel, since thats possible with the tunables, and also some caveats about it.

And maybe improve the readability a little bit so there's a complete test setup described.

• In the thread posted above in the issue there's a revised test setup, and also a SNAT setup with packet captures described.

[Monviech]

I put this on won't fix. I have too much on my plate right now and I don't want to block anyone else from adding things eventually.