OPNsense Forum

English Forums => General Discussion => Topic started by: nellson on September 01, 2021, 12:01:45 am

Title: IPSec in Routed mode with BiNAT, traffic but no replies?
Post by: nellson on September 01, 2021, 12:01:45 am

I have built a Router VTI IPSec tunnel to a Cisco Router at work. I am using BiNAT to make my 10.0.0.0/25 network look like 10.0.10.0/25 over the tunnel. I am using 10.0.10.252/30 .254 is my OPNSense end, .253 is my Cisco VTI Tunnel10. The tunnel on the cisco can ping the tunnel IP on the OPNSense. The loopback on the Cisco 10.45.253.1 can ping the 10.0.10.254 of the OPNSense. BUT my Linux box at 10.0.0.24, natting to 10.0.10.24 tries to ping the loopback of the router at 10.45.253.1 (and a ping from the routers loopback to the 10.0.10.24 at the same time, neither get a reply. YET, both unidirectional traffic flows show in the Packet Capture on my tunnel interface on the OPNSense..I am lost as to how this happens? (see picture attached)

my tunnel interface as two ANY - ANY IPv4 rules for in and out. And I see Encaps and Decaps oh plenty on my Cisco and my OPNSense IPSec stats...

Title: Re: IPSec in Routed mode with BiNAT, traffic but no replies?
Post by: nellson on September 01, 2021, 05:25:18 am

Hrmm.. It appears that the tunnel was receiving traffic from work to my 10.0.10.0/25 network in my BiNAT and sending it BACK down the tunnel via the 10.0.0.0/8 route.. I would have expected the more specific to win out or how would this BiNAT for space used on both sides even work? I limited my SDR to a smaller 10.45.0.0/16 used in my datacenter and things started to work to that range.. So I think something did not get automatically installed for the BiNAT so it could catch this traffic?