OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: anomaly0617 on February 12, 2018, 11:16:52 pm

Title: Updated IPSec with BiNAT walk-through needed?
Post by: anomaly0617 on February 12, 2018, 11:16:52 pm

Hi all!,

Long time monowall/pf/OPNSense user here. I'm a network engineer for a managed service provider in Ohio.

I'm converting firewalls at customers from using pfSense to OPNSense as upgrades are required. I've discovered something through trial and error, but need to know if it's the proper way to be doing things...

For customers, we use BiNAT VPN tunnels extensively. This is because it's incredibly common to run into customers with 192.168.1.0/24 networks or 192.168.0.0/24 networks, and we need to be able to monitor their stuff over an encrypted tunnel from our office. We utilize rules on our side so they can only see the network monitoring server and everything else is blocked. On our side, however, I can see their whole subnet. So it's common for me to have a setup that looks like this:

Customer Side: 192.168.1.0/24 binat to 172.16.212.0/24
Our Side: 192.168.254.0/24 binat to 172.16.254.0/24

So the tunnel on their end is looking for a remote subnet of 172.16.254.0/24, and maintains a local subnet of 192.168.1.0/24 with BiNAT to 172.16.212.0/24.

The tunnel on our end is looking for a remote subnet of 172.16.212.0/24, and maintains a local subnet of 192.168.254.0/24.

On the customer's Firewall >> Rules >> IPSec it looks like IPv4 * * * * * (Allow IPSec Traffic)

On our end in Firewall >> Rules >> IPSec it looks quite different, only allowing customer VPNs to get to one IP address.  :)

So the question became, how do I make this occur in OPNSense? The Phase 1 always establishes with no issue, it's always the Phase 2 that is broken. So, here's what I've tried so far on my Phase 2 Tunnel configuration:

• I tried LocalNet as 192.168.1.0/24, RemoteNet as 172.16.254.0, and Manual SPD as 172.16.212.0/24. No joy.
• I tried LocalNet as 172.16.212.0/24, RemoteNet as 172.16.254.0, and Manual SPD as 192.168.1.0/24. No joy.
• I tried LocalNet as 192.168.1.0/24, RemoteNet as 172.16.254.0, and Manual SPD I left blank. I then tried going to Firewall >> Nat >> One-to-One >> Created a BiNAT that looks like IPSec, External is 172.16.212.0/24, Internal is 192.168.1.0/24, Dest. is Any. This works, but it negates the documentation I see here:
  https://forum.opnsense.org/index.php?topic=989.0 (https://forum.opnsense.org/index.php?topic=989.0)
  https://github.com/opnsense/core/issues/369 (https://github.com/opnsense/core/issues/369)

So, is the issue just that we need an updated tutorial or documentation?

Thanks in advance!

Title: Re: Updated IPSec with BiNAT walk-through needed?
Post by: franco on February 28, 2018, 08:01:31 am

Hi anomaly0617,

Yes, setup guide needs to be updated and moved to https://docs.opnsense.org/

I'll make a note in the GitHub issue about this thread...


Cheers,
Franco

Title: Re: Updated IPSec with BiNAT walk-through needed?
Post by: mimugmail on February 28, 2018, 08:22:29 am

May I take your networks for official documentation?