OPNsense Forum

English Forums => Virtual private networks => Topic started by: ntkevinshao on August 15, 2022, 10:07:58 am

Title: IPsec Site to Site VPN with One Site Behind NAT
Post by: ntkevinshao on August 15, 2022, 10:07:58 am

My Lab Config :
Site 1 Local OpnSense # 1 :
- LAN IP : 192.168.1.1 /24
- WAN IP : 100.1.1.1 /24

Site 2 Remote Site Firewall(NAT) :
- WAN IP 100.1.1.2 /24
- config port forward on WAN to forward AH, ESP and TCP/UDP 500/4500 to 192.168.3.22
- LAN IP(connected to OpnSense #2) : 192.168.3.21 /24
Site 2 Remote Site OpnSense #2 for IPsec Site to Site VPN :
- WAN IP(connected to Firewall) : 192.168.3.22 /24
- LAN IP : 192.168.2.22 /24

But I could not get IPsec site to site VPN to work for Site 1 192.168.1.0/24 to connect to Site 2 192.168.2.0 /24
what should I use in Site 1 OpnSense and Site 2 Opsense  Phase 1 :
My identifier = My IP address ?
Peer identifier = Peer IP address ?
NAT Traversal is enabled

VPN: IPsec: Security Policy Database can see two sessions installed
VPN: IPsec: Security Association Database is empty

Title: Re: IPsec Site to Site VPN with One Site Behind NAT
Post by: ntkevinshao on August 15, 2022, 12:23:34 pm

I know where the problem is :
Site 2 Remote Site OpnSense #2
My Identifier should use IP address 100.1.1.2 which is the outbound public address after NAT
I should use 192.168.3.22