Hello,
I fail to configure 1:1 NAT for trafic going via an IPsec tunnel (tunnel between my LAN and the network of a third party)
Here is the context :My LAN network IP address is : 10.33.0.0/16
Third party IP address of the server I need to access via IPsec tunnel : 172.31.254.254/32
Network arriving in the tunnel (for 1:1 NAT) : 10.88.0.0/16
I am using OPNsense version 20.1.1.
Here is the IPsec configuration (algorithms part taken out) :
- Phase 1 :
- Key Exchange version : V1
- Interface : WAN
- Remote gateway : 5.5.5.5 (Third party server IP)
- Authentication method : Mutual PSK
- My identifier : 3.3.3.3 (my public IP)
- Peer identifier : 5.5.5.5
- Install policy : (Checked)
- Tunnel Isolation : (Unchecked)
- NAT Traversal : Enable
- Phase 2 :
- Mode : Tunnel IPv4
- Local Network :
- Type : Network
- Address : 10.88.0.0/16
- Remote Network :
- Type : Address
- Address : 172.31.254.254/32
- Manual SPD entries : (Empty)
And here is the the 1:1 NAT configuration :
- Interface : IPsec
- Type : BINAT
- External network : 10.88.0.0/16
- Source / invert : (Unchecked)
- Source :
- Type : Single host or Network
- Address : 10.33.0.0/16
- Destination / invert : (Unchecked)
- Destination : any
- NAT reflection : Use system default
I do have an "IPsec" entry in the "Firewall: Rules" part of the GUI but nowhere else (not in "Interfaces" nor when trying to add a gateway or a route).
IPsec tunnel seems UP (according to the OPNsense dashboard) but I can't ping 172.31.254.254 or something in 10.88.0.0 from LAN.
And I don't see how it could work because
netstat -rn shows no entry for 172.31.254.254 nor 10.88.0.0.
Do I need to add my LAN address (10.33.0.0/16) to Phase 2's "Manual SPD entries" ?
Where/How could I see thoses "SPD entries" ?
Thank you.
Forgot to say I followed "Setup IPsec site to site tunnel" guide (https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html), added an "allow any to any" firewall rule on IPsec interface and allowed ESP, ISAKMP, IPsec NAT-T protocols on WAN interface.
Can you search the Docs for Binat IPsec. Its documented there :)
Thank for the pointer: In the mean time I tried to add my LAN as manual SPD entry but I saw no change of behavior.
Does BINAT setup requires to add specific firewall rule related to the natted network 10.88.0.0/16? The BINAT guide (https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html) does not say anything about it but the IPsec site-to-site tunnel guide (https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html) asks to create a "action=pass from=*:* to=LAN_net:*" rule on IPsec interface (which I did).
So I wonder if I need to create another rule (eg. to allow traffic from LAN to 10.88.0.0/16).
Using a tcpdump -n -i enc0 I can see my ping -s 10.33.0.1 172.31.254.254 (executed from OPNsense, whose LAN's address is "10.33.0.1") but I get no ping response and tcpdump ouput show no translation:
13:12:13.844882 (authentic,confidential): SPI 0xd0fb1d32: IP 10.33.0.1 > 172.31.254.254: ICMP echo request, id 31860, seq 0, length 64
(One of) The other thread I've found (« Updated IPSec with BiNAT walk-through needed? (https://forum.opnsense.org/index.php?topic=7282.0) ») seems to leave Manual SPD field blank and use a "type=BINAT dest=any" NAT 1:1 rule which did not matched documentation, but it was 2 years ago.
Is there a way to show/debug SPD entries?
Also, if my LAN clients ping or traceroute the IP 172.31.254.254 it goes out to WAN not via IPsec tunnel (tcpdump -n -i enc0).
I don't understand why a ping to the same IP would follow different path if executed from OPNsense with LAN interface as source or executed from a computer on LAN (having the OPNsense as default gateway).
I naively tried to add a "Firewall: NAT: Outbound" rule on IPsec interface to replace traffic from 10.33.0.0/16 (LAN) to 172.31.254.254 (third party server) by 10.88.0.0/16 (natted network) with no luck.
Just a thought: could my multi-wan setup (primary with failover) be responsible for the LAN clients' traffic not going through the tunnel?
Adding a firewall rule on LAN interface configured as follow did the trick:
from=LAN_net to=172.31.254.254/32 gateway=default(and placed before my firewall rule that sets gateway to the "primary/failover" gateway group for all traffic)
A
tcpdump -n -i enc0 still don't show translation for outgoing traffic (id. 10.33.0.1) but answer arrives for translated address (id. 10.88.0.1):
12:39:44.593119 (authentic,confidential): SPI 0xbde8b870: IP 10.33.0.1 > 172.31.254.254: ICMP echo request, id 60353, seq 18, length 64
12:39:44.593503 (authentic,confidential): SPI 0xbde8b870: IP 172.31.254.254 > 10.88.0.1: ICMP echo reply, id 60353, seq 18, length 64
In the web GUI, at "Firewall: Log Files: Live View", I do have translation for outgoing traffic (id. 10.88.0.1):
IPsec Feb 25 12:39:44 10.88.0.1 172.31.254.254 icmp IPsec internal host to host
lan Feb 25 12:39:44 10.88.0.1 172.31.254.254 icmp Allow access to third-party server behind IPsec tunnelSo, to summarize, I needed (on my side):
- A firewall rule on all WAN interfaces to allow ESP ISAKMP and IPsec NAT-T (see guide (https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html))
- IPsec tunnel with "Apply Policy" on Phase 1 and Phase 2 where local network="10.88.0.0/16", remote network="172.31.254.254/32" and Manual SPD entry=10.33.0.0/16
- A NAT "One-to-One" rule where type=BINAT, external network="10.88.0.0/16", source network="10.33.0.0/16" and destination network="172.31.254.254/32"
- A firewall rule on LAN interface where source="LAN_net:*", direction="in", destination="172.31.254.254/32:*", gateway="default"
- A firewall rule on IPsec interface where source="172.31.254.254/32:*", direction="in", destination="LAN_net:*", gateway="default"
Guides :
- Setup IPsec site to site tunnel (https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html)
- IPSec BINAT (https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html)