OPNsense Forum
Archive => 19.1 Legacy Series => Topic started by: GaardenZwerch on February 19, 2019, 01:10:06 pm
-
Hi,
I want to set up a Site-2-Site Tunnel, between OPNSense and a third party.
My local Network is 192.168.0.0/24 but the third party requires that I use 10.203.207.0/24
Changing IPs at my side is not an option, as it is not really up to me.
The IPSec is up and running, and if I put a virtual IP of 10.203.207.1 on my local interface, i can ping the other side (ping -S 10.203.207.1 172.16.0.100 works, and I see the trafic on the enc0 interface).
172.16.0.0/16[any] 10.203.207.0/24[any] any
in ipsec
esp/tunnel/1.2.3.4-4.3.2.1/unique:6
created: Feb 19 12:37:34 2019 lastused: Feb 19 12:37:34 2019
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=69 seq=2 pid=20879 scope=global
refcnt=1
10.203.207.0/24[any] 172.160.0.0/16[any] any
out ipsec
esp/tunnel/4.3.2.1-1.2.3.4/unique:6
created: Feb 19 12:37:34 2019 lastused: Feb 19 12:37:34 2019
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=70 seq=0 pid=20879 scope=global
refcnt=1
Now I need to set up NAT, such that traffic from my LAN (192.168.0.0/24) appears to come from 10.203.207.0/24 before it goes into the tunnel.
- When I add 192.168.0.0/24 to the 'Manual SPD entries' in phase two, this causes the traffic to be thrown into the ipsec Tunnel (I see it on enc0, but the source is not modified). I have tried with outbound NAT rules on all possible devices: WAN, LAN and IPSec
- when I clear the 'Manual SPD entries', traffic is never entering the tunnel, but I manage to get the wanted translation (i see traffic as originating from 10.203.207.0/24 on the WAN interface)
- I have tried one-to-one NAT, no success
Any hints would be greatly appreciated!
- I am pretty sure I had this working last year when I evaluated OPNSense with an earlier release. Did something change?
- Is outbound NAT the right place to do this, and if so, on what interface? IPSec, WAN or LAN?
- My outbound NAT is in hybrid mode, but the 'automatic rules' section is empty. Normal?
Thanks,
Frank
-
OK, please, somebody explain this:
in my NAT rule, I had used an alias, of type Network, with the value "192.168.0.0/24" in the source column.
When I put the internal 'XXX net' object instead, it just works. (Thats the object that gets created when you assign an IP address to your interface.)
Now onto my next problem:
I have two phase 2 entries below the same phase 1.
I need to check 'Tunnel Isolation' in phase one, otherwise both do not work.
If I check tunnel isolation, only the last of the two phase2 works. If I swap them in /usr/local/etc/ipsec.conf and
ipsec restart
it is always the last one that works.
Any clues?
Thanks,