OPNsense Forum
Archive => 19.7 Legacy Series => Topic started by: jesperfr on August 15, 2019, 07:44:32 am
-
Is this still a problem ?
I need to NAT an address before sending it through an IPSEC tunnel, but I can't get it to work. According to packet capture it seems that NAT is done, but it's not being tunneled afterwards.
Rgds,
Jesper
-
Most of it should be fixed in 19.7.2
-
I litle more explanation
It's an existing tunnel, My end 10.222.0.0/16 remote end 10.1.204.0/24
I have a server in my end coming from 10.220.2.72 which I translate to 10.222.8.4. If I ping from the local server and do a packet capture on WAN interface , then I can see the translated addr. towards the server I try to reach (10.1.204.108).
firewall interfaces:
VLAN 10 (10.220.0.9/22
VLAN 32 (10.222.8.4/22)
WAN
My local server is comming via VLAN 10 and is being translated to interface addr. on VLAN 32.
-
please find attached a packet capture . Ping done from a server 10.220.2.13 and it's being translated to 10.222.8.4, but the packet towards 10.1.204.108 is not being tunneled.
I have tried to do 2 configs. Both configs are outbound nat
WAN as outgoing interface (packet capture WAN)
IPSEC as outgoing interface (packet capture IPSEC)
PACKET CAPTURE WAN:
VLAN10
em0 09:29:01.766196 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32194, offset 0, flags [none], proto ICMP (1), length 60)
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43537, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43538, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43539, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43540, length 40
VLAN10
em0 09:29:06.475942 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32195, offset 0, flags [none], proto ICMP (1), length 60)
VLAN10
em0 09:29:11.465461 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32196, offset 0, flags [none], proto ICMP (1), length 60)
VLAN10
em0 09:29:16.475901 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32197, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1 09:29:01.766572 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32194, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1
10.222.8.4 > 10.1.204.108: ICMP echo request, id 8203, seq 43537, length 40
10.222.8.4 > 10.1.204.108: ICMP echo request, id 8203, seq 43538, length 40
10.222.8.4 > 10.1.204.108: ICMP echo request, id 8203, seq 43539, length 40
10.222.8.4 > 10.1.204.108: ICMP echo request, id 8203, seq 43540, length 40
WAN
em1 09:29:06.476327 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32195, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1 09:29:11.465774 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32196, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1 09:29:16.476087 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32197, offset 0, flags [none], proto ICMP (1), length 60)
PACKET CAPTURE IPSEC:
VLAN10
em0 09:36:51.695292 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32198, offset 0, flags [none], proto ICMP (1), length 60)
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43547, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43548, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43549, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43550, length 40
VLAN10
em0 09:36:56.466359 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32199, offset 0, flags [none], proto ICMP (1), length 60)
VLAN10
em0 09:37:01.483428 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32200, offset 0, flags [none], proto ICMP (1), length 60)
VLAN10
em0 09:37:06.466768 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32201, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1 09:36:51.695470 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32198, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43547, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43548, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43549, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43550, length 40
WAN
em1 09:36:56.466440 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32199, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1 09:37:01.483573 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32200, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1 09:37:06.466915 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32201, offset 0, flags [none], proto ICMP (1), length 60)
in below image, test is 10.220.2.13 - Salling group is 10.1.204.108 - VLAN32_NAT_INTERFACE is 10.222.8.4
-
Screenshots Phase2 SA please
-
A ping from firewall VLAN32 interface (10.222.8.4) work, but when I use same interface address or any other address in 10.222.0.0/16 for translation, then I can't ping
-
Errr .. did you follow the binat guide from official docs? Cant see any Screenshot of binat rules. It wont work like this
-
I have tried both 1:1 NAT and outbound NAT, but neither work.
Packet capture with BI NAT rule:
VLAN10
em0 09:49:14.273478 00:26:0a:27:d6:00 > 00:50:56:a8:de:54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32211, offset 0, flags [none], proto ICMP (1), length 60)
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46613, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46614, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46615, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46616, length 40
VLAN10
em0 09:49:19.207255 00:26:0a:27:d6:00 > 00:50:56:a8:de:54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32212, offset 0, flags [none], proto ICMP (1), length 60)
VLAN10
em0 09:49:24.206931 00:26:0a:27:d6:00 > 00:50:56:a8:de:54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32213, offset 0, flags [none], proto ICMP (1), length 60)
VLAN10
em0 09:49:29.206841 00:26:0a:27:d6:00 > 00:50:56:a8:de:54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32214, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1 09:49:14.273756 00:50:56:a8:47:5c > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 10.1.204.108 tell 91.221.51.240, length 28
WAN
em1 09:49:14.274354 00:26:0a:27:d6:00 > 00:50:56:a8:47:5c, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Reply 10.1.204.108 is-at 00:26:0a:27:d6:00, length 46
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46613, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46614, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46615, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46616, length 40
WAN
em1 09:49:14.274394 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32211, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1 09:49:19.207418 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32212, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1 09:49:24.207103 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32213, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1 09:49:29.206921 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32214, offset 0, flags [none], proto ICMP (1), length 60)
-
And you added the internal source IP to SPD in IPsec Phase2?
-
No, nothing have have been added to SPD in phase2. As I previously mentioned, I don't have access to remote end, and remote end is not an Opnsense firewall.
What IP do I need to add? and should this be done in both end of the tunnel ?
-
Again, did you read the binat guide? You have to add SPD in Phase 2 like described in the howto. It's the source IP/net you used as in 1to1 nat
-
Yes, I did read the how to BINAT, but I thought I had to add the network/host in both end of the tunnel and that was not an option.
I got it to work now. Thanks very much for all your help, it's highly appreciated :o)
-
Glad you did it 8)