1
17.7 Legacy Series / VPN with outbound NAT and multiple phase 2 entries
« on: March 26, 2018, 11:43:11 am »
I've been trying to get a VPN up and running between my site and a customer, with very little success. The phase 1 side is fine, as we're getting some level of connectivity. The issue lies with the five phase 2 entries. Put simply, I have yet to get more than one tunnel active at any time. If it's possible to connect to one remote endpoint, it's not possible to connect to any others.
There's an additional complication, which is outbound NAT. This is achieved using one-to-one NAT settings, plus a manual SPD entry in the phase 2 settings. So, a PC on 172.x.x.1 connects to the remote site as 10.x.x.9. I can see in the logs that all attempted communication is using the correct address, but only one remote address is contactable. A trace route to the working address looks just as it should; to any of the others it stops at the firewall, so it looks as if the device simply doesn't know where to send it.
Right now I'm at the point of changing the IP range of our network (it's a one-PC subnet and not part of our main network) to match the value required for outbound NAT, and then drop the NAT and SPD entries on the OPNsense. I'm sure I shouldn't have to be doing this, but I need to get it working.
But it did occur to me that someone else may have seen this or a very similar problem, hence the post on here. All assistance very gratefully received!
There's an additional complication, which is outbound NAT. This is achieved using one-to-one NAT settings, plus a manual SPD entry in the phase 2 settings. So, a PC on 172.x.x.1 connects to the remote site as 10.x.x.9. I can see in the logs that all attempted communication is using the correct address, but only one remote address is contactable. A trace route to the working address looks just as it should; to any of the others it stops at the firewall, so it looks as if the device simply doesn't know where to send it.
Right now I'm at the point of changing the IP range of our network (it's a one-PC subnet and not part of our main network) to match the value required for outbound NAT, and then drop the NAT and SPD entries on the OPNsense. I'm sure I shouldn't have to be doing this, but I need to get it working.
But it did occur to me that someone else may have seen this or a very similar problem, hence the post on here. All assistance very gratefully received!