English Forums > Virtual private networks
IPsec - 1-to-1-BINAT not receiving TCP packages back
benni.mack:
Hey everyone,
after some days and nights figuring out what my problem is, I hope to find some pointers / answers here:
I want to connect from any machines of my local network behind Opnsense as my main router to defined remote servers via IPsec.
I set up a IPsec ESP Tunnel Mode with a remote network. The connection / tunnel is established, and phase1/phase 2 are running properly.
My requirements are exactly as documented here https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html, except that only my opnsense is doing BINAT and not the other side as they do not need this (Cisco ASA 5545-X). The remote company sent me the details that their remote network (10.190.0.0/16 - this is where need to access servers) is only allowed to sent to 10.160.50.0/24 - so I configured IPsec to establish a tunnel between these two networks.
=> My public IP 1.2.3.4
=> My local office IP net is 192.168.1.0/24
Also: NAT Traversal is enabled on phase 1, and "install policies" and "install routes" is also enabled.
First hurdle (which I managed) was to add my local office IP net to the "Manual SPD entries" in phase 2. As soon as I add this, I can see outgoing traffic (via tcpdump on opnsense) but no incoming traffic.
So, I assumed to set up a One-To-One BINAT with 192.168.1.0/24 as in source network, the remote network (10.190.0.0/16) as destination and the external network defined as 10.160.50.0/24 the one doing the NAT.
Once I set the One-To-One NAT on the IPsec interface, I can at least ping a server on the remote VPN, and I get a response back (echo response) from the server in the remote network. However, the tcpdump does not show the translated IP in the "enc0" interface but the original IP, which I found a bit odd, and it's where I assume the issue resides: I cannot connect via TCP on e.g. HTTPS/SSH. Crazy enough, if I use the proprietary Cisco AnyConnect into their servers, I can do a curl request with a proper response. So I figure this needs to be something on my side that I misconfigured, or missing that the NAT is not doing properly, as the remote servers cannot "talk back".
So my assumptions are either 1-to-1-NAT via IPsec only works if I both parties to 1-to-1-NAT (which I would find odd?) or that the BINAT is not doing its job before the packages are sent over IPsec?
Would appreciate any kind of help!
Thanks in advance.
Benni.
mimugmail:
Do you use multiple SAs?
benni.mack:
--- Quote from: mimugmail on November 21, 2020, 11:57:33 pm ---Do you use multiple SAs?
--- End quote ---
I did not set up any SAs manually, just used the config from opnsense directly ("Install Policy"), and the Securtiy Association Database contains two entries (both ESP). Phase 1 is based on a mutual PSK.
I hope I understood your question correctly.
mimugmail:
I meant multiple Phase2
benni.mack:
--- Quote from: mimugmail on November 22, 2020, 08:54:27 am ---I meant multiple Phase2
--- End quote ---
Ah, I see. Bo, no multiple Phase 2's. Very basic and straightforward. One thing I wondered was if I need the "NAT Traversal" Option in the IPsec configuration to be the same on both sides, or only on the side which receives or sends via NAT... Maybe that's a thing to consider?
Navigation
[0] Message Index
[#] Next page
Go to full version