OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: vince on June 28, 2018, 02:55:39 pm

Title: IPSec Site-to-Site with one Site behind NAT
Post by: vince on June 28, 2018, 02:55:39 pm: So far this seems like a pretty straightforward thing to do, but it's only working partitially and I have no clue as to why. And I got lost in way to many posts like this one and helpful sites explaining stuff about ipsec. I really hope someone here can shed some light on this.

setup:
remote site | host R --- FW R === WAN_NAT L == FW L --- host L | local site

Net R: host R, FW R
Net DMZ: WAN_NAT L, FW L
Net L: FW L, host L

FW R:
* single opnsense box
* local ident: FW R public ip (static)
* remote ident: WAN_NAT L public ip (static)

WAN_NAT L:
* business dsl router only used for pppoe
* DMZ: CARP IP NET DMZ FW L
* NAT from NET DMZ to public ip (static)

FW_L:
* HA-setup with tunnel originating from host-ip (not the carp virtual ip)
* NAT from CARP in NET L to CARP in NET DMZ
* Outbound NAT: NET L to ! NET L via CARP IP NET L FW L
* local ident: WAN_NAT L public ip (static)
* remote ident: FW R public ip (static)

fw rules (FW R & FW L):
* allow everything on IF ipsec

connectivity (icmp/ssh/https):
Host R -> FW L: no
Host R -> Host L: no
Host L -> FW R: yes
Host L -> Host R: yes
FW R -> FW L: no
FW L -> FW R: no

FW R "ipsec statusall"
Code: [Select]
Status of IKE charon daemon (weakSwan 5.6.3, FreeBSD 11.1-RELEASE-p10, amd64): uptime: 45 minutes, since Jun 28 13:44:15 2018 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3 loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock counters Listening IP addresses: <public IP FW R> <NET R IP FW R> Connections: con1: <public IP FW R>...<public IP FW L> IKEv2, dpddelay=30s con1: local: [<public IP FW R>] uses pre-shared key authentication con1: remote: [<public IP FW L>] uses pre-shared key authentication con1: child: <NET R> === <NET L> TUNNEL, dpdaction=clear Security Associations (1 up, 0 connecting): con1[1]: ESTABLISHED 45 minutes ago, <public IP FW R>[<public IP FW R>]...<public IP FW L>[<public IP FW L>] con1[1]: IKEv2 SPIs: af539d1d52e4b970_i db82b64dfdb13183_r*, pre-shared key reauthentication in 6 hours con1[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048 con1{3}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c9b931a6_i ccc8da4d_o con1{3}: AES_CBC_256/HMAC_SHA2_512_256/MODP_2048, 65187 bytes_i (900 pkts, 0s ago), 152716 bytes_o (929 pkts, 0s ago), rekeying in 39 minutes con1{3}: <NET R> === <NET L>
FW L "ipsec statusall"
Code: [Select]
Status of IKE charon daemon (strongSwan 5.6.3, FreeBSD 11.1-RELEASE-p10, amd64): uptime: 47 minutes, since Jun 28 13:44:19 2018 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 10 loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock counters Listening IP addresses: <NET DMZ IP FW L> <NET DMZ CARP IP FW L> <HA SYNC IP> <NET L IP FW L> <CARP IP NET L FW L> Connections: con1: <NET DMZ IP FW L>...<public IP FW R> IKEv2, dpddelay=300s con1: local: [<public IP FW L>] uses pre-shared key authentication con1: remote: [<public IP FW R>] uses pre-shared key authentication con1: child: <NET L> === <NET R> TUNNEL, dpdaction=clear Security Associations (1 up, 0 connecting): con1[1]: ESTABLISHED 47 minutes ago, <NET DMZ IP FW L>[<public IP FW L>]...<public IP FW R>[<public IP FW R>] con1[1]: IKEv2 SPIs: af539d1d52e4b970_i* db82b64dfdb13183_r, pre-shared key reauthentication in 6 hours con1[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048 con1{5}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ccc8da4d_i c9b931a6_o con1{5}: AES_CBC_256/HMAC_SHA2_512_256/MODP_2048, 1509939 bytes_i (2455 pkts, 1s ago), 301572 bytes_o (1971 pkts, 1s ago), rekeying in 37 minutes con1{5}: <NET L> === <NET R>
What seems to be a bit weird to me is that there is no part like
Code: [Select]
Routed Connections: con1{2}: ROUTED, TUNNEL, reqid 2 con1{2}: <NET X> === <NET Y>like on another ipsec connection we have running. Is this part even needed?

So, in the end it comes down to two questions:
1) what went wrong regarding connectivity?
2) (bonus) how do I get a failover tunnel from an HA-FW to another site?

If there is more info needed I would be happy to provide that. All boxes are running 18.1.10 btw.
Title: Re: IPSec Site-to-Site with one Site behind NAT
Post by: franco on June 29, 2018, 01:13:09 pm: Did you check this already? https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html

Cheers,
Franco
Title: Re: IPSec Site-to-Site with one Site behind NAT
Post by: mimugmail on June 29, 2018, 01:31:43 pm: Stop Tunnels and start ping in host L and check the logs of FW L
Title: Re: IPSec Site-to-Site with one Site behind NAT
Post by: mimugmail on June 29, 2018, 01:33:02 pm: P.S.: I for myself prefer ID private IP instead of WAN IP
Title: Re: IPSec Site-to-Site with one Site behind NAT
Post by: vince on July 02, 2018, 09:44:15 am: Quote from: franco on June 29, 2018, 01:13:09 pm
Did you check this already? https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html

Cheers,
Franco

No, I did not figure I need to, since I do not have the same network in use in multiple locations. Do I still need to use BINAT, and if so, why?