Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.7 Legacy Series
»
VPN with outbound NAT and multiple phase 2 entries
« previous
next »
Print
Pages: [
1
]
Author
Topic: VPN with outbound NAT and multiple phase 2 entries (Read 7430 times)
David Fowler
Newbie
Posts: 2
Karma: 0
VPN with outbound NAT and multiple phase 2 entries
«
on:
March 26, 2018, 11:43:11 am »
I've been trying to get a VPN up and running between my site and a customer, with very little success. The phase 1 side is fine, as we're getting some level of connectivity. The issue lies with the five phase 2 entries. Put simply, I have yet to get more than one tunnel active at any time. If it's possible to connect to one remote endpoint, it's not possible to connect to any others.
There's an additional complication, which is outbound NAT. This is achieved using one-to-one NAT settings, plus a manual SPD entry in the phase 2 settings. So, a PC on 172.x.x.1 connects to the remote site as 10.x.x.9. I can see in the logs that all attempted communication is using the correct address, but only one remote address is contactable. A trace route to the working address looks just as it should; to any of the others it stops at the firewall, so it looks as if the device simply doesn't know where to send it.
Right now I'm at the point of changing the IP range of our network (it's a one-PC subnet and not part of our main network) to match the value required for outbound NAT, and then drop the NAT and SPD entries on the OPNsense. I'm sure I shouldn't have to be doing this, but I need to get it working.
But it did occur to me that someone else may have seen this or a very similar problem, hence the post on here. All assistance very gratefully received!
Logged
franco
Administrator
Hero Member
Posts: 17473
Karma: 1587
Re: VPN with outbound NAT and multiple phase 2 entries
«
Reply #1 on:
March 27, 2018, 11:14:10 am »
Hi David,
Is this a Fortigate on the other end? Use IKEv2 and "Tunnel Isolation".
Cheers,
Franco
Logged
David Fowler
Newbie
Posts: 2
Karma: 0
Re: VPN with outbound NAT and multiple phase 2 entries
«
Reply #2 on:
April 06, 2018, 11:47:31 am »
Hi Franco,
Not entirely sure what's on the other end to be honest. Eventually I lost patience and changed the local IP subnet to match what was required by the remote networks - as there's only a virtual PC and the OPNsense on the subnet it wasn't too big a task!
Cheers,
David
Logged
franco
Administrator
Hero Member
Posts: 17473
Karma: 1587
Re: VPN with outbound NAT and multiple phase 2 entries
«
Reply #3 on:
April 07, 2018, 05:47:08 pm »
Ok, that works too.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.7 Legacy Series
»
VPN with outbound NAT and multiple phase 2 entries