Hello Forum,
I hope you're doing well.
I need some information about configuring an IPsec VPN on an OPNsense firewall.
I created an IPsec tunnel with a Stormshield firewall using virtual networks, but I'm unable to test the VPN tunnel. I don't know how to create virtual IP addresses and attach them to a physical interface using NAT in OPNsense. There are three types of NAT in OPNsense, and I'm unsure which one to use: NAT 1:1, outbound NAT, or port forward NAT.
I need your help to understand what I'm doing wrong. On the Stormshield firewall, I created a virtual network, which is preceded by a physical network. On the OPNsense firewall, I didn't create a virtual network, but I added it in the IPsec Phase 2 configuration.
Can you guys give me an idea of the NAT and filtering configurations that i should add in the opnsense.
Here's what the VPN tunnel looks like:
| 192.168.2.0/24 | -------------- (Stormshield [virt: 10.100.100.0/24]) ====ipsec==== (Opnsense[virt: 10.200.200.0/24]) -------------- | 192.168.100.0/24 |
This is what i'm trying to test:
Ping from 192.168.100.0/24 to 10.100.100.0/24 , i have created an object in stormshield network , that is NATTED to a physical ip address 192.168.2.201/24, but i don't know how to do the same thing in opnsense for a physical machine !
Thank you for your time guys !
Can anyone who knows how take time to answer?
i would really appreciate it !
Why do you need to NAT?
You have two networks:
192.168.2.0/24
192.168.100.0/24
There is no overlap between those networks.
Just create a policy based tunnel that connects these networks directly in Phase2.
Hello , thank you for your answer,
I need to NAT because the two networks are behind a virutal Network :
| 192.168.2.0/24 | -------------- (Stormshield [virt: 10.100.100.0/24]) ====ipsec==== (Opnsense[virt: 10.200.200.0/24]) -------------- | 192.168.100.0/24 |
in my case my LAN 192.168.100.0/24 has to be behind the network 10.200.200.0/24 ,
First i wanna know if it's possible to do it in opnsense because i tried to do it with Stormshield and it worked perfectly , and if it's possible how could we do it ( create the virtual network and apply the nat rules to translate from the virtual network to the local network )
Also , because we got alot of VPN tunnels in our stormshield firewall , we have to create virtual networks in order to avoid ip adress conflict
Do you mean this?
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn-binat.html
Hello,
thanks for the document , it worked !
Hello again ,
It worked from the stormshield to the OPNsense :
<a href="https://ibb.co/qMDt3JL"><img src="https://i.ibb.co/SX6h4fD/Capture.png" alt="Capture" border="0" /></a>
but not from the OPNsense to stormshield !
Quick update , the ICMP works, but when i try RDP , it doesn't work , i have a question , does the BINAT do PAT ?
MTU - MSS problem?
Ipsec uses PMTUD to discover the maximum trasmission size, that requires some more ICMP options to be allowed, not only echo request and reply.
Otherwise set a hard MSS size with a Firewall - Normalization rule in OPNsense.
Here its explained for wireguard but it applies to any vpn technology when PMTUD doesnt work. https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html
when i sniffed packets using wireshark , this is what i see : (https://i.postimg.cc/mhbYTr0f/Capture2.png) (https://postimg.cc/mhbYTr0f)
That looks like there is a SYN but no SYN-ACK. I don't know what the issue is though, it's a bit out of my reach right now.
it's okay, thank you for your help , you really helped me alot , in the opnsense , it keeps blocking the RDP traffic :
(https://i.postimg.cc/0rDzc9w4/Capture2.png) (https://postimg.cc/0rDzc9w4)
Hello, i solved my issue by reading this guy's post :
https://www.reddit.com/r/OPNsenseFirewall/comments/hrdzti/nat_not_working_with_ipsec_vpn/