OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: GaardenZwerch on August 14, 2019, 11:05:05 am

Title: NAT before IPSec
Post by: GaardenZwerch on August 14, 2019, 11:05:05 am

Hi,

I have a local Network (192.168.0.0/24) that needs to be NATed (to 10.203.207.0/24) before it goes into the IPSec Tunnel.
When the Tunnel is up, this works perfectly fine. (ie I have a NAT defined(on the IPSec device), and added a Manual SPD entry for 192.168.0.0/24)
However, hosts from the local Network (192.168.0.0/24) can't get the Tunnel up.

Code: [Select]

ping -S 192.168.0.1 other.side does nothing whereas

Code: [Select]

ping -S 10.203.207.1 other.side pulls the tunnel up (I have added a virtual IP for 10.203.207.1 on the same interface as 192.168.0.1)

Could this bit from the changelog in 19.7.x solve my Problem?

Quote

ipsec: use interface IP address in local ID when doing NAT before IPsec

Thanks a lot

Title: Re: NAT before IPSec
Post by: mimugmail on August 26, 2019, 11:10:41 am

The release note is not related to your problem. Have you also tried pinging from a real system in your LAN or only from the firewall via "-S"?

Title: Re: NAT before IPSec
Post by: GaardenZwerch on August 26, 2019, 11:26:52 am

Hello MiMu,

yes, there is a nagios server (192.168.0.2) in that network that checks availability of servers 'on the other side'. It gets replies, but only if the Tunnel is up.

Can I post any additional info that might be useful?
Thanks

Title: Re: NAT before IPSec
Post by: mimugmail on August 26, 2019, 02:17:12 pm

Hm, my tunnels are always up. Maybe it's worth checking why the tunnel itself goes down.

Title: Re: NAT before IPSec
Post by: GaardenZwerch on August 26, 2019, 04:15:19 pm

Hmm,

I have no control over the remote side of the connection, so this is not easy. Leaving it on 'connect on traffic' is a requirement from the remote side.

My BINAT rule generates the following:

Code: [Select]

binat on enc0 inet from 192.168.0.0/24 to <BO_NETS> -> 10.203.207.0/24
but when the tunnel is down, traffic from 192.168.0.0/24 will not get routed to enc0. I suspect that this is the root of the problem.

Title: Re: NAT before IPSec
Post by: mimugmail on August 26, 2019, 04:19:35 pm

Yes, because there is no known route. Why not set mode to "start immediate" .. I don't think remote site will claim about it .. not even get aware of it.

Title: Re: NAT before IPSec
Post by: GaardenZwerch on August 26, 2019, 04:47:49 pm

somehow, the tunnel closes every now and then (after inactivity?), even if I leave it at 'Start immediate' (tried this before), it will eventually go down, and my side won't be able to get it up again. Figuring out why the tunnel goes away is hard, as I don't control the other side. On my side, is it possible to get a log over a longer period of time?

Title: Re: NAT before IPSec
Post by: mimugmail on August 26, 2019, 05:19:14 pm

You can increase system logging and catch it via CLI:

clog /var/log/ipsec.log