1
19.1 Legacy Series / Site-to-Site IPsec AND IPsec Client behind NAT
« on: May 09, 2019, 10:55:10 am »
Hi,
I have a special problem I think and I hope that my be someone has an idea how to solve this.
On WAN side I have multiple public IPs and I have setup and running one IPsec Site-to-Site tunnel. Let's calls this pimary network.
Beside that there are other networks, let's call one of them guestnet for well guests.
All networks are handeled by the same OPNsense appliance. The guestnet uses a virtual public IP for outgoing traffic which is differend from the main IP used for the primary network NAT.
My wish whould be that clients on the guestnet should be able to start IPsec tunnels from their client devices behind NAT for example to connect to their home locations.
But this does not work .
Before OPNsense I had an Cisco ASA where this kind of setup was not a problem.
My guess is that the problem is in StrongSwan. Because it binds to all ip addresses on all interfaces I guess that the IPsec answer form the remote site is not forwarded to the client behind NAT.
I tried to change "/usr/local/etc/strongswan.conf" by adding "interfaces_use = "igb0"", but it still binds to all IP addresses including the virtual IP I used for the guest net.
Is there any (easy) way to make this work with OPNsense?
Well I could setup a second OPNsense only for the guestnet ... but this looks bit too big to me.
What if I connect a second interface to the Internet an add my second WAN IP their?
Will not work until manual edit of "strongswan.conf" I guess. But is setup this desirable?
Best regards
I have a special problem I think and I hope that my be someone has an idea how to solve this.
On WAN side I have multiple public IPs and I have setup and running one IPsec Site-to-Site tunnel. Let's calls this pimary network.
Beside that there are other networks, let's call one of them guestnet for well guests.
All networks are handeled by the same OPNsense appliance. The guestnet uses a virtual public IP for outgoing traffic which is differend from the main IP used for the primary network NAT.
My wish whould be that clients on the guestnet should be able to start IPsec tunnels from their client devices behind NAT for example to connect to their home locations.
But this does not work .
Before OPNsense I had an Cisco ASA where this kind of setup was not a problem.
My guess is that the problem is in StrongSwan. Because it binds to all ip addresses on all interfaces I guess that the IPsec answer form the remote site is not forwarded to the client behind NAT.
I tried to change "/usr/local/etc/strongswan.conf" by adding "interfaces_use = "igb0"", but it still binds to all IP addresses including the virtual IP I used for the guest net.
Is there any (easy) way to make this work with OPNsense?
Well I could setup a second OPNsense only for the guestnet ... but this looks bit too big to me.
What if I connect a second interface to the Internet an add my second WAN IP their?
Will not work until manual edit of "strongswan.conf" I guess. But is setup this desirable?
Best regards