OPNsense Forum
English Forums => General Discussion => Topic started by: redmac58 on May 25, 2016, 04:58:12 pm
-
I'm coming from a Cisco ASA (I'm a router jockey) and just built a new firewall to replace my aging asa 5510. I have a number of B2B VPN connections to different clients. I have one client whose inside network routing domain overlaps with my local routing domain. (He is on an ASA as well). I simply NAT my traffic to him to a network that doesn't overlap his.
Example - I am 10.10.100.0/24. He has local routes that go to other networks that contain 10.10.100.0/24, so I can't use that when I connect.
I do not need to reach his 10.10.100.0/24 network. Just his inside local network. With the ASA I simply nat to 172.25.x.x (in my case, I only nat 10.10.100.0/28 to 172.25.100.0/28). It's dead easy on an ASA, but I can't get this working on opnsense.
I've tried the one to one nat rule with the rule applied to ipsec.
I've tried the binat in the ipsec config. Nope..
I can get a tunnel up, but no traffic goes over the tunnel. (my local network set to 172.20.100.0/28 in the phase 2 config.
This should be easy. What am I missing here?
Thanks in advance.
-
Is this what you're looking for? https://github.com/opnsense/core/issues/440
-
After reading through the link in github, that sounds exactly like the issue. Any semi-enterprise class firewall should be able to do this (it's a pretty standard feature). But after reading the link through it sounds like it does NOT and it won't be fixed anytime soon. Correct?
I know this is OPNSense, but I thought it was built on the same freeBSD that pfsense is and I understood it worked in pfsense, which doesn't quite make sense based on the post (I can't say I'm a linux expert and don't claim to be, but the github post states it's an issue with freeDSD)
This is my first real use of open source firewall stuff, other than playing with them in a VMWare environment, but this is the first time I've actually put one out there to use. This seems like kind of a deal breaker for any firewall/VPN appliance to not be able to do this.
I admit none of the dlink/netgear type of appliances do this (or did anyway when I looked at them a while back) but given that the current open source FW stuff out there is supposed to be close to enterprise capability....
Is there an easy workaround?
Thanks for the response.
-
So we're stuck in the middle here. There is a patch for StrongSwan that is either
(a) not going to be accepted upstream
(b) not going to be pushed upstream
There's security and maintenance implications we cannot be sure of when there is no peer review and alignment in terms of StrongSwan itself regarding the feature. It is a useful feature, but who takes responsibility? And when the firewall is free, who is going to step in and help bring more professional features in for the benefit of the community beyond the scope that we currently have? There are many more things to takle in all areas. :)
Wouldn't a dedicated IPSec box solve this issue?
Maybe the best option for all of FreeBSD (and likely beyond) would be:
(c) upstreaming the patch to StrongSwan
-
Any Chance to solve it with openbsd as base for opnsense?
I mean a Version of opnsense based on obenpbsd? is this in any way possible?