Hey everyone,
after some days and nights figuring out what my problem is, I hope to find some pointers / answers here:
I want to connect from any machines of my local network behind Opnsense as my main router to defined remote servers via IPsec.
I set up a IPsec ESP Tunnel Mode with a remote network. The connection / tunnel is established, and phase1/phase 2 are running properly.
My requirements are exactly as documented here https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html, except that only my opnsense is doing BINAT and not the other side as they do not need this (Cisco ASA 5545-X). The remote company sent me the details that their remote network (10.190.0.0/16 - this is where need to access servers) is only allowed to sent to 10.160.50.0/24 - so I configured IPsec to establish a tunnel between these two networks.
=> My public IP 1.2.3.4
=> My local office IP net is 192.168.1.0/24
Also: NAT Traversal is enabled on phase 1, and "install policies" and "install routes" is also enabled.
First hurdle (which I managed) was to add my local office IP net to the "Manual SPD entries" in phase 2. As soon as I add this, I can see outgoing traffic (via tcpdump on opnsense) but no incoming traffic.
So, I assumed to set up a One-To-One BINAT with 192.168.1.0/24 as in source network, the remote network (10.190.0.0/16) as destination and the external network defined as 10.160.50.0/24 the one doing the NAT.
Once I set the One-To-One NAT on the IPsec interface, I can at least ping a server on the remote VPN, and I get a response back (echo response) from the server in the remote network. However, the tcpdump does not show the translated IP in the "enc0" interface but the original IP, which I found a bit odd, and it's where I assume the issue resides: I cannot connect via TCP on e.g. HTTPS/SSH. Crazy enough, if I use the proprietary Cisco AnyConnect into their servers, I can do a curl request with a proper response. So I figure this needs to be something on my side that I misconfigured, or missing that the NAT is not doing properly, as the remote servers cannot "talk back".
So my assumptions are either 1-to-1-NAT via IPsec only works if I both parties to 1-to-1-NAT (which I would find odd?) or that the BINAT is not doing its job before the packages are sent over IPsec?
Would appreciate any kind of help!
Thanks in advance.
Benni.
Do you use multiple SAs?
Quote from: mimugmail on November 21, 2020, 11:57:33 PM
Do you use multiple SAs?
I did not set up any SAs manually, just used the config from opnsense directly ("Install Policy"), and the Securtiy Association Database contains two entries (both ESP). Phase 1 is based on a mutual PSK.
I hope I understood your question correctly.
I meant multiple Phase2
Quote from: mimugmail on November 22, 2020, 08:54:27 AM
I meant multiple Phase2
Ah, I see. Bo, no multiple Phase 2's. Very basic and straightforward. One thing I wondered was if I need the "NAT Traversal" Option in the IPsec configuration to be the same on both sides, or only on the side which receives or sends via NAT... Maybe that's a thing to consider?
Sorry, I reread the thread again, tcpdump regarding Nat in IPsec shows packets prior rewriting (compared to usual interfaces). This also took ne some time back in the days. I think it's safe now to ask other side if they see dropped packets
Thanks, I will ask for details on package sending from the other side today and keep you posted!