Text only | Text with Images

OPNsense Forum

Archive => 20.1 Legacy Series => Topic started by: TXTad on July 15, 2020, 02:59:55 AM

Title: SOLVED: NAT not working with IPSec VPN
Post by: TXTad on July 15, 2020, 02:59:55 AM
Hello,

I am attempting to get a site to site VPN running with a single routable IP address inside each end of the tunnel.

Something like:

   Unknown      Remote                                          Local             My
- Private NW -  network      WAN                       WAN      network ----- Private NW ----
    ?.?.?.? <-> 1.1.1.2 -- 1.1.1.1 <=== TUNNEL ====> 2.2.2.1 -- 2.2.2.2 <-> NAT <-> 10.0.0.15


The Remote end of the connection is a partner company that my company is providing a single service to via this tunnel. The goal here is to allow the service to work while each network is insulated from each other and neither side has to have any knowledge of the other's topology.

I've tried both, 1:1 NAT, and Port Forward NAT. It seems that I have to have the local network IP as a virtual IP on my WAN interface, and the closest I've come is that traffic gets to correct server in my network at 10.0.0.15, but the return traffic seems to want to head straight to the internet rather than being returned up the tunnel.

I do also have a /26 network 1:1 NAT servicing requests directly from the internet, but I obtained a single, completely different IP address to use for 2.2.2.2 in the above diagram that has no NAT associated with it besides what I've tried to set up for the tunnel.

I know this description is fairly vague, but does anyone have any suggestions?

Thanks!
Title: Re: NAT not working with IPSec VPN
Post by: mimugmail on July 15, 2020, 06:01:36 AM
Did you set SPD entries?
Title: Re: NAT not working with IPSec VPN
Post by: TXTad on July 15, 2020, 03:29:46 PM
Quote from: mimugmail on July 15, 2020, 06:01:36 AM
Did you set SPD entries?

I did not and I wouldn't know how. This is the first I've heard of this.
Title: Re: NAT not working with IPSec VPN
Post by: mimugmail on July 15, 2020, 04:02:01 PM
NAT before IPsec needs this in FreeBSD https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html
Title: Re: NAT not working with IPSec VPN
Post by: TXTad on July 15, 2020, 04:07:24 PM
Quote from: mimugmail on July 15, 2020, 04:02:01 PM
NAT before IPsec needs this in FreeBSD https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html
The documentation seems to say that I'm going to put my local network in the "Manual SPD Entries" box, so 10.0.0.15/32 in my example?
Title: Re: NAT not working with IPSec VPN
Post by: TXTad on July 15, 2020, 04:10:43 PM
And will I need a virtual IP for the 2.2.2.2 that isn't actually visible on the internet?

Or, asked differently, how do I assign that to an interface?

Or, is that handled by my NAT entry? 1:1 or Port Forward?
Title: Re: SOLVED: NAT not working with IPSec VPN
Post by: TXTad on July 15, 2020, 06:16:03 PM
The secret sauce was the SPD entry. The non-obvious part was that 10.0.0.15/32 is what goes in that field.

The other part I was missing was the 1:1 NAT with 2.2.2.2 as the External IP, 10.0.0.15 as the Internal IP, and 1.1.1.2 as the Destination IP.

Do not have 2.2.2.2 as a virtual IP.
Text only | Text with Images