IPSEC Nat 1 to 1 behind Router NAT

[renow]

Hello,

I'm trying to configure an IPSEC tunnel and need to use 1 to 1 NAT because local IP network exists in remote networks.

Configuration is as follow :

HQ : Local Network : 192.168.100.1/24 : (LAN) OPN (WAN) : 192.168.1.254 ------ Router 192.168.1.1 ------- WWW
Remote : 192.168.0.0/24 --- Public IP (WWW)

Need to configure an IPSEC with translation to 192.168.111.0/24 (local) and connected to 192.168.0.0/24 (remote)

So I have configured  :

- an IPSEC P2 for network 192.168.111.0/24 to 192.168.0.0/24
- a 1 to 1 NAT on IPSEC interface with external 192.168.111.0/24 for traffic from 192.168.0.0/24 to 192.168.0.0/24

incoming ICMP traffic from remote 192.168.0.0/24 net reach a client on 192.168.100.0/24 but reply isn't redirected in the IPSEC tunnel.

I think the problem is because of WAN NAT on 192.168.1.254 for outside.

I have tried too with an IP alias on LAN with 192.168.111.1/24 and NAT on this IP before the tunnel but it doesn't work.

Does anyone tell me wich configuration may be used in my configuration ?

Thanks for your help.
Regards,
Renaud.

[renow]

Finally, I'm able to have a functionnal IPSEC Natted with following configuration :

Phase 2 :

Type                    local Network          remote network
ESP IPv4 tunnel    192.168.111.0/24     192.168.0.0/24

1 to 1 NAT rules :

Interface    External IP            Internal IP           Destination IP
IPsec     192.168.111.0/24    192.168.0.0/24    192.168.101.0/24
IPsec    192.168.111.0/24    192.168.101.0/24    192.168.0.0/24     

and need to add manually SPD even with "192.168.101.0/24" in manual SPD of GUI

Code: [Select]

setkey -f spd.conf
with spd.conf

Code: [Select]

spdadd 192.168.101.0/24 192.168.0.0/24 any -P out ipsec esp/tunnel/[Local Public IP]-[Remote Public IP]/unique:2;
Nat from router isn't the problem, manual SPD of GUI isn't working for me...

maybe:
https://github.com/opnsense/core/issues/2173
https://github.com/opnsense/core/issues/1773