OPNsense Forum
Archive => 19.1 Legacy Series => Topic started by: olest on May 24, 2019, 11:18:54 am
-
Hi,
I have tried to setup NAT before IPSEC.
Followed this how to doc:
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html
Is it not working with 19.1?
I havn't tried with 18.7.
(tested with a pfSense instead of my opnsense box and then it is working)
-
I have two machines with 19.1.4 where it's running fine, must be a configuration issue.
More detail about setup and error please
-
LAN network: 192.168.17.0/24
OPNsense 19.1.7 - could it be kernel changes since 19.1.4?
IPSEC Phase 2 (tunnel up):
local network 10.222.15.0/24
remote network: 192.168.11.0/24
Manual SPD: 192.168.17.0/24
NAT 1:1:
Interface IPSEC
Type: BINAT
External network: 10.222.15.0/24
Source: 192.168.17.0/24
Destination: 192.168.11.0/24
Firewall:
Default LAN allow all rule.
I cannot ping 192.168.11.244 from 192.168.17.101 using the OPNsense firewall.
--
With pfSense I use:
Phase 2:
local network: 192.168.17.0/24
BINAT translation: 10.222.15.0/24
remote network: 192.168.11.0/24
-
tcpdump on enc0 please
-
I get nothing when I use "tdpdump -i enc0" and ping 192.168.11.244.
(tested with other tunnels with no NAT and the I see the trafic with tcpdump)
-
tcpdump at LAN interface igb1 I get:
20:57:51.045693 IP 192.168.17.101 > 192.168.11.244: ICMP echo request, id 1, seq 36150, length 40
-
Consider me amazed if this is not VTI and pfSense works but you're using ping without -S parameter which would indicate the opposite.
IPsec (non-VTI) needs -S for the source address and IPsec said source address to accept traffic into the tunnel. Always.
# ping 192.168.77.1
PING 192.168.77.1 (192.168.77.1): 56 data bytes
^C
--- 192.168.77.1 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
# ping -S 10.0.0.1 192.168.77.1
PING 192.168.77.1 (192.168.77.1) from 10.0.0.1: 56 data bytes
64 bytes from 192.168.77.1: icmp_seq=1 ttl=255 time=56.350 ms
64 bytes from 192.168.77.1: icmp_seq=2 ttl=255 time=48.087 ms
IPsec from 10.0.0.1 -> 192.16.77.1
Cheers,
Franco
-
Not sure what you mean or what you what me to test.
Consider me amazed if this is not VTI and pfSense works but you're using ping without -S parameter which would indicate the opposite.
IPsec (non-VTI) needs -S for the source address and IPsec said source address to accept traffic into the tunnel. Always.
# ping 192.168.77.1
PING 192.168.77.1 (192.168.77.1): 56 data bytes
^C
--- 192.168.77.1 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
# ping -S 10.0.0.1 192.168.77.1
PING 192.168.77.1 (192.168.77.1) from 10.0.0.1: 56 data bytes
64 bytes from 192.168.77.1: icmp_seq=1 ttl=255 time=56.350 ms
64 bytes from 192.168.77.1: icmp_seq=2 ttl=255 time=48.087 ms
IPsec from 10.0.0.1 -> 192.16.77.1
Cheers,
Franco
-
Only SPDs with 192.168.11.0/24 I see is:
192.168.11.0/24 10.222.15.0/24
10.222.15.0/24 192.168.11.0/24
Should there not be any entry for the manual SPD?
-
Can you try source in binat the LAN IP of the Firewall? Do you use FQDN for Peer address?
-
Remote gateway is an IP address.
Identifiers is "Distinguished name"
-
Can you check last comment if you are also affected?
https://github.com/opnsense/core/issues/1773
-
Not the same setup (I don't have any of the routers behind NAT) but same problem.
If I change Phase 1 Identifiers to use IP address instead of Distinguished name the NAT before IPSEC is working.
Why does it not work if I use other than IP address as my identifier/peer identifier?