Topics

I have built a Router VTI IPSec tunnel to a Cisco Router at work. I am using BiNAT to make my 10.0.0.0/25 network look like 10.0.10.0/25 over the tunnel. I am using 10.0.10.252/30 .254 is my OPNSense end, .253 is my Cisco VTI Tunnel10. The tunnel on the cisco can ping the tunnel IP on the OPNSense. The loopback on the Cisco 10.45.253.1 can ping the 10.0.10.254 of the OPNSense. BUT my Linux box at 10.0.0.24, natting to 10.0.10.24 tries to ping the loopback of the router at 10.45.253.1 (and a ping from the routers loopback to the 10.0.10.24 at the same time, neither get a reply. YET, both unidirectional traffic flows show in the Packet Capture on my tunnel interface on the OPNSense..I am lost as to how this happens? (see picture attached)

my tunnel interface as two ANY - ANY IPv4 rules for in and out. And I see Encaps and Decaps oh plenty on my Cisco and my OPNSense IPSec stats...

Using the docs I was able to get an IPSec/IKEv2 tunnel up in 15 mins with my company Cisco Router, and was very jazzed that I could replace my Palo Alto firewall VPN. My Company uses the entire 10. net mostly, including the lil 10.0.0.0/24 I use at home. No problem, that's what the IPSec BiNat was for, yes? So...

my IPSec tunnel uses 10.0.10.0/25 as the inside space that I will be NAT'ing myself to. And the 10.0.0.0/8 for the remote network. Cisco IPSec sees that and reverse route injects a static 10.0.10.0/25 in for my tunnel. Cool.

On the Opnsense side, I have my IPSec tunnel originating from my WAN interface (static IP from ISP) and my NAT set up with a single test 1-to1 from 10.0.0.7 (my pc) to 10.0.10.7 (the IP I will appear as over the tunnel, same as I did with my Palo)

My IPSec FW rules are an ANY ANY right now, both inbound and out.

So I test a ping from my station to a station at work, and it appears to be going straight out the internet, and not the tunnel.. My ISP gateway is sending the ICMP rejection.

So I am stuck on what I might need to do for routing/NAT. and https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html wasn't giving me quite enough.

UPDATE: Traffic FROM my work to the NAT address 10.0.10.7 is correctly getting through the tunnel, and being NAT's to my 10.0.0.7 workstation, I see INBOUND traffic in all the IPSec logs and Wireshark on my workstation shows the ping hitting me. (carbon black denies it, but hey, it got here!) If I ping to that same workstation, no outbound traffic seen in the tunnel.

So I followed the IPSec tunnel docs, and added the BiNat doces. I think my issue is in the IPSec Tunnel docs, in that my VPN Status shows my tunnel as "INSTALLED" and "ROUTED" but the docs say it should just show "INSTALLED" and in the route table there is no entry to suggest my traffic would get captured by my IPSec tunnel.

My NAT is on the IPSec interface.. perhaps that is why it's not being NAT'ed before the tunnel network list sees it?

So I am new to OPNSense from a Palo Alto firewall system. My home network has a /29 public block, where I use the first useable as my firewall IP, and all my port forwarding.

But I have some servers that need two 1-to-1 NAT's and I am having trouble understanding the docs on how this works.

I made two BINAT rules the way I think they needed to be, <public>.99 <-> <private>.24/32 and when I test my .24 host with a what's my IP test, I get my public NAT, but when I try to contact my host via an external DIG (it's a DNS server) I get nothing. My Rules allow TCP/UDP 53 & 953 to my two outside IP's.

Do I need to use a Virtual IP construct to get OPNSense to respond to the two outside IP's of my NAT (this was from a google search of someone who got a lab to work. did not make sense)