Text only | Text with Images

OPNsense Forum

Archive => 19.7 Legacy Series => Topic started by: jesperfr on August 15, 2019, 07:44:32 AM

Title: NAT before IPSEC tunnel, not working?
Post by: jesperfr on August 15, 2019, 07:44:32 AM
Is this still a problem ?

I need to NAT an address before sending it through an IPSEC tunnel, but I can't get it to work. According to packet capture it seems that NAT is done, but it's not being tunneled afterwards.

Rgds,
Jesper
Title: Re: NAT before IPSEC tunnel, not working?
Post by: mimugmail on August 15, 2019, 11:12:18 AM
Most of it should be fixed in 19.7.2
Title: Re: NAT before IPSEC tunnel, not working?
Post by: jesperfr on August 16, 2019, 10:16:32 AM
I litle more explanation
It's an existing tunnel, My end 10.222.0.0/16 remote end 10.1.204.0/24
I have a server in my end coming from 10.220.2.72 which I translate to 10.222.8.4. If I ping from the local server and do a packet capture on WAN interface , then I can see the translated addr. towards the server I try to reach (10.1.204.108).

firewall interfaces:
VLAN 10 (10.220.0.9/22
VLAN 32 (10.222.8.4/22)
WAN

My local server is comming via VLAN 10 and is being translated to interface addr. on VLAN 32.
Title: Re: NAT before IPSEC tunnel, not working?
Post by: jesperfr on August 16, 2019, 10:19:31 AM
please find attached a packet capture . Ping done from a server 10.220.2.13 and it's being translated to 10.222.8.4, but the packet towards 10.1.204.108 is not being tunneled.

I have tried to do 2 configs. Both configs are outbound nat

WAN as outgoing interface (packet capture WAN)
IPSEC as outgoing interface (packet capture IPSEC)

PACKET CAPTURE WAN:
VLAN10
em0   09:29:01.766196 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32194, offset 0, flags [none], proto ICMP (1), length 60)
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43537, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43538, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43539, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43540, length 40
VLAN10
em0   09:29:06.475942 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32195, offset 0, flags [none], proto ICMP (1), length 60)
VLAN10
em0   09:29:11.465461 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32196, offset 0, flags [none], proto ICMP (1), length 60)
VLAN10
em0   09:29:16.475901 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32197, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1   09:29:01.766572 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32194, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1
10.222.8.4 > 10.1.204.108: ICMP echo request, id 8203, seq 43537, length 40
10.222.8.4 > 10.1.204.108: ICMP echo request, id 8203, seq 43538, length 40
10.222.8.4 > 10.1.204.108: ICMP echo request, id 8203, seq 43539, length 40
10.222.8.4 > 10.1.204.108: ICMP echo request, id 8203, seq 43540, length 40
WAN
em1   09:29:06.476327 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32195, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1   09:29:11.465774 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32196, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1   09:29:16.476087 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32197, offset 0, flags [none], proto ICMP (1), length 60)


PACKET CAPTURE IPSEC:
VLAN10
em0   09:36:51.695292 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32198, offset 0, flags [none], proto ICMP (1), length 60)
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43547, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43548, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43549, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43550, length 40
VLAN10
em0   09:36:56.466359 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32199, offset 0, flags [none], proto ICMP (1), length 60)
VLAN10
em0   09:37:01.483428 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32200, offset 0, flags [none], proto ICMP (1), length 60)
VLAN10
em0   09:37:06.466768 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32201, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1   09:36:51.695470 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32198, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43547, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43548, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43549, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43550, length 40
WAN
em1   09:36:56.466440 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32199, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1   09:37:01.483573 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32200, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1   09:37:06.466915 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32201, offset 0, flags [none], proto ICMP (1), length 60)

in below image, test is 10.220.2.13 - Salling group is 10.1.204.108 - VLAN32_NAT_INTERFACE is 10.222.8.4
Title: Re: NAT before IPSEC tunnel, not working?
Post by: mimugmail on August 16, 2019, 03:17:37 PM
Screenshots Phase2 SA please
Title: Re: NAT before IPSEC tunnel, not working?
Post by: jesperfr on August 19, 2019, 07:57:28 AM
A ping from firewall VLAN32 interface (10.222.8.4) work, but when I use same interface address or any other address in 10.222.0.0/16 for translation, then I can't ping
Title: Re: NAT before IPSEC tunnel, not working?
Post by: mimugmail on August 19, 2019, 09:08:56 AM
Errr .. did you follow the binat guide from official docs? Cant see any Screenshot of binat rules. It wont work like this
Title: Re: NAT before IPSEC tunnel, not working?
Post by: jesperfr on August 19, 2019, 09:21:25 AM
I have tried both 1:1 NAT and outbound NAT, but neither work.

Packet capture with BI NAT rule:
VLAN10
em0   09:49:14.273478 00:26:0a:27:d6:00 > 00:50:56:a8:de:54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32211, offset 0, flags [none], proto ICMP (1), length 60)
    10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46613, length 40
    10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46614, length 40
    10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46615, length 40
    10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46616, length 40
VLAN10
em0   09:49:19.207255 00:26:0a:27:d6:00 > 00:50:56:a8:de:54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32212, offset 0, flags [none], proto ICMP (1), length 60)
VLAN10
em0   09:49:24.206931 00:26:0a:27:d6:00 > 00:50:56:a8:de:54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32213, offset 0, flags [none], proto ICMP (1), length 60)
VLAN10
em0   09:49:29.206841 00:26:0a:27:d6:00 > 00:50:56:a8:de:54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32214, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1   09:49:14.273756 00:50:56:a8:47:5c > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 10.1.204.108 tell 91.221.51.240, length 28
WAN
em1   09:49:14.274354 00:26:0a:27:d6:00 > 00:50:56:a8:47:5c, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Reply 10.1.204.108 is-at 00:26:0a:27:d6:00, length 46
    10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46613, length 40
    10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46614, length 40
    10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46615, length 40
    10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46616, length 40
WAN
em1   09:49:14.274394 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32211, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1   09:49:19.207418 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32212, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1   09:49:24.207103 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32213, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1   09:49:29.206921 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32214, offset 0, flags [none], proto ICMP (1), length 60)
Title: Re: NAT before IPSEC tunnel, not working?
Post by: mimugmail on August 19, 2019, 12:39:10 PM
And you added the internal source IP to SPD in IPsec Phase2?
Title: Re: NAT before IPSEC tunnel, not working?
Post by: jesperfr on August 19, 2019, 12:55:20 PM
No, nothing have have been added to SPD in phase2. As I previously mentioned, I don't have access to remote end, and remote end is not an Opnsense firewall.

What IP do I need to add? and should this be done in both end of the tunnel ?
Title: Re: NAT before IPSEC tunnel, not working?
Post by: mimugmail on August 19, 2019, 01:17:14 PM
Again, did you read the binat guide? You have to add SPD in Phase 2 like described in the howto. It's the source IP/net you used as in 1to1 nat
Title: Re: NAT before IPSEC tunnel, not working?
Post by: jesperfr on August 19, 2019, 02:51:45 PM
Yes, I did read the how to BINAT, but I thought I had to add the network/host in both end of the tunnel and that was not an option.

I got it to work now. Thanks very much for all your help, it's highly appreciated :o)
Title: Re: NAT before IPSEC tunnel, not working?
Post by: mimugmail on August 19, 2019, 05:48:27 PM
Glad you did it  8)
Text only | Text with Images