Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: mikehps on December 03, 2018, 11:12:57 AM

Title: IPSEC NAT
Post by: mikehps on December 03, 2018, 11:12:57 AM
Hi,

OpnSense 18.7.8 in place with the following Problem on an IPSEC site-to-site tunnel

IKEv1 Tunnel with two phase 2 Traffic Selectors:

Local LAN: 192.168.100.0/24
Local Subnet Phase 2: a.b.c.132/30
Remote Subnet Phase 2: x.y.z.0/24

Local LAN: 192.168.100.0/24
Local Subnet Phase 2: a.b.c.132/30
Remote Subnet Phase 2: x.y.z.0/24

Tunnel is up and working

BINAT 1:1 Rule on IPSEC Interface
External: x.y.z.134/32
Source: 192.168.100.11/32
Destination: x.y.z.37/32

Manual SPD Entry: 192.168.100.11/32
FW Rules -> IPsec Ipv4 any any allow all (for testing)

However, its not working. The remote end x.y.z.37/32 is not reachable.

Can anyone help pls?

Thanks and regards,
Michael
Title: Re: IPSEC NAT
Post by: mimugmail on December 03, 2018, 11:39:45 AM
Your network design is a bit odd. Can you setup the P2 networks to some private networks so your routing doesn't get confused with peering IPs?

Like:

Real LAN1: 192.168.100.0/24
Fake LAN1: 192.168.1.0/24

Real LAN2: 192.168.100.0/24
Fake LAN2: 192.168.11.0/24

So you build a VPN from 192.168.1.0 with 192.168.11.0 .. the clients from LAN1 need to ping addresses from .11.0 to reach .1.0 from LAN2 and vice versa. Then you set up BINAT like from the official docs ...
Title: Re: IPSEC NAT
Post by: mikehps on December 03, 2018, 11:57:22 AM
unfortunately the customers security settings only allow the given (official IPs) as P2 local and remote network and they are not willing to change their IPSEC settings...
Title: Re: IPSEC NAT
Post by: mikehps on December 10, 2018, 06:03:28 PM
Update:

We are also affected by https://github.com/opnsense/core/issues/1773

Workaround:
Code Select
setkey -f with this file: spdadd <src_net> <dst_net> any -P out ipsec esp/tunnel/<local_wan_ip>-<remote_wan_ip>/unique:<id>;

regards,
Michael
Title: Re: IPSEC NAT
Post by: mikehps on January 23, 2019, 11:41:06 AM
Hi,

Was there a change with OpnSense 18.7.10?

Nat before IPSEC isn't working anymore, but setkey -DP show correct entries:

Code Select
x.x.x.x[any] z.z.z.z[any] any
        in ipsec
        esp/tunnel/x.x.x.x-z.z.z.z/unique:1
        created: Jan 23 11:29:28 2019  lastused: Jan 23 11:29:28 2019
        lifetime: 9223372036854775807(s) validtime: 0(s)
        spid=36 seq=1 pid=84235 scope=global
        refcnt=1
z.z.z.z[any] x.x.x.x[any] any
        out ipsec
        esp/tunnel/z.z.z.z-x.x.x.x/unique:1
        created: Jan 23 11:29:28 2019  lastused: Jan 23 11:29:28 2019
        lifetime: 9223372036854775807(s) validtime: 0(s)
        spid=37 seq=0 pid=84235 scope=global
        refcnt=1


regards,
Michael
Text only | Text with Images