OPNsense Forum

Archive => 20.1 Legacy Series => Topic started by: CDuv on February 23, 2020, 07:47:06 pm

Title: [SOLVED] 1:1 NAT with an IPsec tunnel (in a multi-WAN setup)
Post by: CDuv on February 23, 2020, 07:47:06 pm
Hello,

I fail to configure 1:1 NAT for trafic going via an IPsec tunnel (tunnel between my LAN and the network of a third party)

Here is the context :

My LAN network IP address is : 10.33.0.0/16
Third party IP address of the server I need to access via IPsec tunnel : 172.31.254.254/32
Network arriving in the tunnel (for 1:1 NAT) : 10.88.0.0/16

I am using OPNsense version 20.1.1.

Here is the IPsec configuration (algorithms part taken out) :


And here is the the 1:1 NAT configuration :


I do have an "IPsec" entry in the "Firewall: Rules" part of the GUI but nowhere else (not in "Interfaces" nor when trying to add a gateway or a route).

IPsec tunnel seems UP (according to the OPNsense dashboard) but I can't ping 172.31.254.254 or something in 10.88.0.0 from LAN.
And I don't see how it could work because netstat -rn shows no entry for 172.31.254.254 nor 10.88.0.0.

Do I need to add my LAN address (10.33.0.0/16) to Phase 2's "Manual SPD entries" ?
Where/How could I see thoses "SPD entries" ?

Thank you.
Title: Re: 1:1 NAT with an IPsec tunnel
Post by: CDuv on February 23, 2020, 08:04:56 pm
Forgot to say I followed "Setup IPsec site to site tunnel" guide (https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html), added an "allow any to any" firewall rule on IPsec interface and allowed ESP, ISAKMP, IPsec NAT-T protocols on WAN interface.
Title: Re: 1:1 NAT with an IPsec tunnel
Post by: mimugmail on February 24, 2020, 06:01:32 am
Can you search the Docs for Binat IPsec. Its documented there :)
Title: Re: 1:1 NAT with an IPsec tunnel
Post by: CDuv on February 24, 2020, 11:44:17 am
Thank for the pointer: In the mean time I tried to add my LAN as manual SPD entry but I saw no change of behavior.

Does BINAT setup requires to add specific firewall rule related to the natted network 10.88.0.0/16? The BINAT guide (https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html) does not say anything about it but the IPsec site-to-site tunnel guide (https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html) asks to create a "action=pass from=*:* to=LAN_net:*" rule on IPsec interface (which I did).
So I wonder if I need to create another rule (eg. to allow traffic from LAN to 10.88.0.0/16).
Title: Re: 1:1 NAT with an IPsec tunnel
Post by: CDuv on February 24, 2020, 01:32:39 pm
Using a tcpdump -n -i enc0 I can see my ping -s 10.33.0.1 172.31.254.254 (executed from OPNsense, whose LAN's address is "10.33.0.1") but I get no ping response and tcpdump ouput show no translation:

13:12:13.844882 (authentic,confidential): SPI 0xd0fb1d32: IP 10.33.0.1 > 172.31.254.254: ICMP echo request, id 31860, seq 0, length 64

(One of) The other thread I've found (« Updated IPSec with BiNAT walk-through needed? (https://forum.opnsense.org/index.php?topic=7282.0) ») seems to leave Manual SPD field blank and use a "type=BINAT dest=any" NAT 1:1 rule which did not matched documentation, but it was 2 years ago.

Is there a way to show/debug SPD entries?
Title: Re: 1:1 NAT with an IPsec tunnel
Post by: CDuv on February 24, 2020, 03:27:11 pm
Also, if my LAN clients ping or traceroute the IP 172.31.254.254 it goes out to WAN not via IPsec tunnel (tcpdump -n -i enc0).
I don't understand why a ping to the same IP would follow different path if executed from OPNsense with LAN interface as source or executed from a computer on LAN (having the OPNsense as default gateway).

I naively tried to add a "Firewall: NAT: Outbound" rule on IPsec interface to replace traffic from 10.33.0.0/16 (LAN) to 172.31.254.254 (third party server) by 10.88.0.0/16 (natted network) with no luck.
Title: Re: 1:1 NAT with an IPsec tunnel
Post by: CDuv on February 24, 2020, 05:23:45 pm
Just a thought: could my multi-wan setup (primary with failover) be responsible for the LAN clients' traffic not going through the tunnel?
Title: Re: 1:1 NAT with an IPsec tunnel (in a multi-WAN setup)
Post by: CDuv on February 25, 2020, 01:03:43 pm
Adding a firewall rule on LAN interface configured as follow did the trick: from=LAN_net to=172.31.254.254/32 gateway=default
(and placed before my firewall rule that sets gateway to the "primary/failover" gateway group for all traffic)

A tcpdump -n -i enc0 still don't show translation for outgoing traffic (id. 10.33.0.1) but answer arrives for translated address (id. 10.88.0.1):

12:39:44.593119 (authentic,confidential): SPI 0xbde8b870: IP 10.33.0.1 > 172.31.254.254: ICMP echo request, id 60353, seq 18, length 64
12:39:44.593503 (authentic,confidential): SPI 0xbde8b870: IP 172.31.254.254 > 10.88.0.1: ICMP echo reply, id 60353, seq 18, length 64

In the web GUI, at "Firewall: Log Files: Live View", I do have translation for outgoing traffic (id. 10.88.0.1):

Code: [Select]
IPsec Feb 25 12:39:44 10.88.0.1 172.31.254.254 icmp IPsec internal host to host
lan Feb 25 12:39:44 10.88.0.1 172.31.254.254 icmp Allow access to third-party server behind IPsec tunnel

So, to summarize, I needed (on my side):

Guides :