Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Understanding the "new way" of BiNAT over IPSec
« previous
next »
Print
Pages: [
1
]
Author
Topic: Understanding the "new way" of BiNAT over IPSec (Read 331 times)
anomaly0617
Jr. Member
Posts: 50
Karma: 0
Understanding the "new way" of BiNAT over IPSec
«
on:
April 16, 2024, 07:30:50 pm »
Hi all,
In the past if I wanted to connect two buildings that had the overlapping internal subnet(s), I could use a 1:1 NAT mapping to deal with this problem. For instance:
Problem Scenario:
Building A
Building B
Local Network
|
192.168.1.0/24
|
192.168.1.0/24
(Uh oh!)
Remote Network
|
1.2.3.4/30
|
4.3.2.1/30
In order to make this VPN tunnel work, I need to do something like this:
Building A
Building A (Masq.)
Building B (Masq.)
Building B
Local Network
|
192.168.1.0/24
|
172.16.1.0/24
|
172.16.2.0/24
|
192.168.1.0/24
Remote Network
|
1.2.3.4/30
|
4.3.2.1/30
And now from Building A, if I ping 172.16.2.1, I get responses from the Building B firewall.
And from Building B, if I ping 172.16.1.1, I get responses from the Building A firewall.
The magic here was in the Phase 2 VPN tunnel, there was an "Manual SPD entries" field that let me specify the masquerade network. And then under Firewall >> NAT >> One-to-One, I'd create a custom mapping that converted, say, 172.16.2.26 into 192.168.1.26 in Building B, or 172.16.1.52 to 192.168.1.52 in Building A.
With me so far?
I'm migrating all of my VPN tunnels over to the new IPSec VPN Connections mechanism. And I've got 100+ new successful tunnels under my belt, so I'm fairly confident at this point that I'm doing it correctly. But this is the first time I've run into a conflict of networks.
So my question is, how do I achieve this under the new Connections mechanism of IPSec?
Is it under VPN >> IPSec >> Virtual Tunnel Interfaces, or
Is it under VPN >> IPSec >> Security Policy Database >> Manual >> Add Manual SPD?
Are there examples somewhere to reference?
Thanks, in advance!
«
Last Edit: April 16, 2024, 07:33:03 pm by anomaly0617
»
Logged
AdSchellevis
Administrator
Hero Member
Posts: 893
Karma: 176
Re: Understanding the "new way" of BiNAT over IPSec
«
Reply #1 on:
April 29, 2024, 01:17:31 pm »
Hi,
You're probably looking for this
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn-binat.html
, should be the same example as the legacy one, but for the new connections.
Just make sure to choose a unique reqid, certainly when legacy tunnels on the same machine exists (to prevent overlaps)
Best regards,
Ad
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Understanding the "new way" of BiNAT over IPSec