Text only | Text with Images

OPNsense Forum

Archive => 19.7 Legacy Series => Topic started by: arjen on August 15, 2019, 11:43:42 AM

Title: [Question] IPsec tunnel with multiple networks NATed
Post by: arjen on August 15, 2019, 11:43:42 AM
I'm trying to set up an IPsec connection between two sites.
To be flexible and avoid any current or potential future IP range overlappings I wand to "NAT away" some networks of one (or both) sides of the tunnel.

To make it a bit more complex, I want to be able to NAT only some of the devices in certain networks, not the network as a whole. This gives the maximum flexibility as some of our clients can't or don't want to reserve a network of equal size as we use and they only need access to certain devices/computers.
I.e. it's probably not necessary for them to access the database server, the web servers are enough.

Here's an example:
(https://forum.opnsense.org/index.php?action=dlattach;topic=13839.0;attach=7772)

How can this "NAT magic" happen? Can I do this on the OPNsense, where the IPsec tunnel is configured or do I need a second device for that?

Can I configure a "routed IPsec tunnel" (2nd phase) and define some NAT there on the Site A side?
I tried that, The tunnel is up and working, but the NAT is not.

Thanks for any hint!
Title: Re: [Question] IPsec tunnel with multiple networks NATed
Post by: mimugmail on August 15, 2019, 02:37:22 PM
You can nearly everything with Nat. Only tested with Policy based but should also work on Route based. Most it depends on direction flows where sometimes the netmask has to be even.
Title: Re: [Question] IPsec tunnel with multiple networks NATed
Post by: arjen on August 15, 2019, 03:20:55 PM
It doesn't need to be route-based, could also be policy-based. Just thought it would maybe be easier...

How would the config be for my example above?

Thanks!
Title: Re: [Question] IPsec tunnel with multiple networks NATed
Post by: mimugmail on August 15, 2019, 05:06:32 PM
Have you read this:
https://wiki.opnsense.org/manual/how-tos/ipsec-s2s-binat.html

Normally when you read it 2-3 times you'll know yourself how to solve it. :)
Title: Re: [Question] IPsec tunnel with multiple networks NATed
Post by: arjen on August 15, 2019, 05:12:02 PM
I indeed read this page already about 10 times and was able to set up a NAT connection, even with only one side NATed and the other with their original IPs.  :)

But:
In my example, would I create a One-to-One NAT for every host I want to map?
And then use a /32 IP range for only the host and add every IP to the "Manual SPD entries" field?

This would result in 8 One-to-One NAT entries.

Is this correct?
Title: Re: [Question] IPsec tunnel with multiple networks NATed
Post by: mimugmail on August 15, 2019, 05:14:57 PM
Quote from: arjen on August 15, 2019, 11:43:42 AM
To make it a bit more complex, I want to be able to NAT only some of the devices in certain networks, not the network as a whole.

I'd guess this just don't work. Make it NAT the whole network and let the firewall do the rest, this should be the way to go.
Text only | Text with Images