OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 19.1 Legacy Series »
  • IPSec S2S and NAT Problem
« previous next »
  • Print
Pages: [1]

Author Topic: IPSec S2S and NAT Problem  (Read 3100 times)

GaardenZwerch

  • Full Member
  • ***
  • Posts: 104
  • Karma: 2
    • View Profile
IPSec S2S and NAT Problem
« on: February 19, 2019, 01:10:06 pm »
Hi,

I want to set up a Site-2-Site Tunnel, between OPNSense and a third party.
My local Network is 192.168.0.0/24 but the third party requires that I use 10.203.207.0/24
Changing IPs at my side is not an option, as it is not really up to me.

The IPSec is up and running, and if I put a virtual IP of 10.203.207.1 on my local interface, i can ping the other side (ping -S 10.203.207.1 172.16.0.100 works, and I see the trafic on the  enc0 interface).


Code: [Select]
172.16.0.0/16[any] 10.203.207.0/24[any] any
in ipsec
esp/tunnel/1.2.3.4-4.3.2.1/unique:6
created: Feb 19 12:37:34 2019  lastused: Feb 19 12:37:34 2019
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=69 seq=2 pid=20879 scope=global
refcnt=1
10.203.207.0/24[any] 172.160.0.0/16[any] any
out ipsec
esp/tunnel/4.3.2.1-1.2.3.4/unique:6
created: Feb 19 12:37:34 2019  lastused: Feb 19 12:37:34 2019
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=70 seq=0 pid=20879 scope=global
refcnt=1


Now I need to set up NAT, such that traffic from my LAN (192.168.0.0/24) appears to come from  10.203.207.0/24 before it goes into the tunnel.


  • When I add 192.168.0.0/24 to the 'Manual SPD entries' in phase two, this causes the traffic to be thrown into the ipsec Tunnel (I see it on enc0, but the source is not modified). I have tried with outbound NAT rules on all possible devices: WAN, LAN and IPSec
  • when I clear the 'Manual SPD entries', traffic is never entering the tunnel, but I manage to get the wanted translation (i see traffic as originating from 10.203.207.0/24 on the WAN interface)
  • I have tried one-to-one NAT, no success

Any hints would be greatly appreciated!
  • I am pretty sure I had this working last year when I evaluated OPNSense with an earlier release. Did something change?
  • Is outbound NAT the right place to do this, and if so, on what interface? IPSec, WAN or LAN?
  • My outbound NAT is in hybrid mode, but the 'automatic rules' section is empty. Normal?


Thanks,

Frank

Logged

GaardenZwerch

  • Full Member
  • ***
  • Posts: 104
  • Karma: 2
    • View Profile
Re: IPSec S2S and NAT Problem
« Reply #1 on: February 19, 2019, 03:47:22 pm »
OK, please, somebody explain this:
in my NAT rule, I had used an alias, of type Network, with the value "192.168.0.0/24" in the source column.

When I put the internal 'XXX net' object instead, it just works. (Thats the object that gets created when you assign an IP address to your interface.)

Now onto my next problem:
I have two phase 2 entries below the same phase 1.
I need to check 'Tunnel Isolation' in phase one, otherwise both do not work.

If I check tunnel isolation, only the last of the two phase2 works. If I swap them in /usr/local/etc/ipsec.conf and
ipsec restart
it is always the last one that works.

Any clues?

Thanks,



Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 19.1 Legacy Series »
  • IPSec S2S and NAT Problem
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2