Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: bit-project-de on November 10, 2025, 09:26:26 AM

Title: Policy based IPSec, Phase 2 public IPs, Routing and NAT
Post by: bit-project-de on November 10, 2025, 09:26:26 AM
Hi all,

currently I'm required to set up a IPSec tunnel between a corporate network and a remote Hosting Provider. Corporate Clients (connected to CISCO VPN) shall access services in Hosting Providers private network. I installed OpnSense 25.7.3_7 on the Hosting provider end.

As per corporate requirements the IPSec must be policy based and must use public IPs in Phase 2. The tunnel is working as expected to the point where I need to connect services in the hosting providers private network. I can't get private traffic back through the tunnel.

Setup is as follows:

Corporate:
IPSec GW: 5.4.3.2
IPSec local Network: 4.3.2.1/32
Clients(Cisco VPN): 10.20.30.0/24
NAT: 10.20.30.111 -> 2.3.4.5

Hosting Provider:
IPSec GW: 1.2.3.4
IPSec local Network: 2.3.4.5/32
LAN Network: 172.18.70.11/32 (Proxy Server)

I have configured the Phase 2 public IP 2.3.4.5 as Virtual IP Alias on LAN Interface on the Hosting Provider End.


Now when a client from the 10.20.30.0/24 corp private network tries to access the NAT IP 10.20.30.111 that directs traffic through the tunnel to 2.3.4.5, it can successfully connect and see the OpnSense WebUI for testing.

But from here I want to 1:1 NAT my local Tunnel network 2.3.4.5 to the private network 172.18.70.11/32 to allow clients to access services in my private network.

In the firewall log I can see traffic on the LAN Interface from local network 4.3.2.1 going to 172.18.70.11/32, but there is no traffic coming back.


Since I'm really confused with all the options like creating Gateways and route, 1:1 NAT, Nat Reflection, Outbound NAT, Gateway Rules and Policies, it would be really appreciated if somebody could give me a hint in the right direction.

I think the problem is with the routing of the public IPs into the Tunnel but since there is no IPSec interface available (just Firewall rules tab), I wonder how to define the Gateway. I think in policy based VPN my traffic must match the installed policies which is does not do because of NAT rules applied.

Can somebody help me?
Title: Re: Policy based IPSec, Phase 2 public IPs, Routing and NAT
Post by: bit-project-de on November 10, 2025, 01:48:21 PM
I solved the problem.

First I created a Single Gateway pointing to remote Tunnel IP of corp (4.3.2.1).

Then I setup 1:1 NAT with external IP being local Tunnel endpoint (2.3.4.5/32) and internal IP pointing to my proxy (172.18.70.11/32). NAT Reflection enabled.

Then I created a Firewall rule on IPSec Interface allowing traffic from remote tunnel IP (4.3.2.1) to my internal proxy IP (172.18.70.11/32).

What did the trick was going to advanced Options for this firewall rule and set the "reply_to" option to the Gateway created in the first step.

And I had to remove other rules that were applied to this traffic to make sure my new created rule is actually applied so the gateway rule was active.
Text only | Text with Images