Hello,
I'm trying to configure an IPSEC tunnel and need to use 1 to 1 NAT because local IP network exists in remote networks.
Configuration is as follow :
HQ : Local Network : 192.168.100.1/24 : (LAN) OPN (WAN) : 192.168.1.254 ------ Router 192.168.1.1 ------- WWW
Remote : 192.168.0.0/24 --- Public IP (WWW)
Need to configure an IPSEC with translation to 192.168.111.0/24 (local) and connected to 192.168.0.0/24 (remote)
So I have configured :
- an IPSEC P2 for network 192.168.111.0/24 to 192.168.0.0/24
- a 1 to 1 NAT on IPSEC interface with external 192.168.111.0/24 for traffic from 192.168.0.0/24 to 192.168.0.0/24
incoming ICMP traffic from remote 192.168.0.0/24 net reach a client on 192.168.100.0/24 but reply isn't redirected in the IPSEC tunnel.
I think the problem is because of WAN NAT on 192.168.1.254 for outside.
I have tried too with an IP alias on LAN with 192.168.111.1/24 and NAT on this IP before the tunnel but it doesn't work.
Does anyone tell me wich configuration may be used in my configuration ?
Thanks for your help.
Regards,
Renaud.
Finally, I'm able to have a functionnal IPSEC Natted with following configuration :
Phase 2 :
Type local Network remote network
ESP IPv4 tunnel 192.168.111.0/24 192.168.0.0/24
1 to 1 NAT rules :
Interface External IP Internal IP Destination IP
IPsec 192.168.111.0/24 192.168.0.0/24 192.168.101.0/24
IPsec 192.168.111.0/24 192.168.101.0/24 192.168.0.0/24
and need to add manually SPD even with "192.168.101.0/24" in manual SPD of GUI
setkey -f spd.conf
with spd.confspdadd 192.168.101.0/24 192.168.0.0/24 any -P out ipsec esp/tunnel/[Local Public IP]-[Remote Public IP]/unique:2;
Nat from router isn't the problem, manual SPD of GUI isn't working for me...
maybe:
https://github.com/opnsense/core/issues/2173
https://github.com/opnsense/core/issues/1773