Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - jesperfr

Pages1
#1
19.7 Legacy Series / Re: NAT before IPSEC tunnel, not working?
August 19, 2019, 02:51:45 PM
Yes, I did read the how to BINAT, but I thought I had to add the network/host in both end of the tunnel and that was not an option.

I got it to work now. Thanks very much for all your help, it's highly appreciated :o)
#2
19.7 Legacy Series / Re: NAT before IPSEC tunnel, not working?
August 19, 2019, 12:55:20 PM
No, nothing have have been added to SPD in phase2. As I previously mentioned, I don't have access to remote end, and remote end is not an Opnsense firewall.

What IP do I need to add? and should this be done in both end of the tunnel ?
#3
19.7 Legacy Series / Re: NAT before IPSEC tunnel, not working?
August 19, 2019, 09:21:25 AM
I have tried both 1:1 NAT and outbound NAT, but neither work.

Packet capture with BI NAT rule:
VLAN10
em0   09:49:14.273478 00:26:0a:27:d6:00 > 00:50:56:a8:de:54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32211, offset 0, flags [none], proto ICMP (1), length 60)
    10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46613, length 40
    10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46614, length 40
    10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46615, length 40
    10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46616, length 40
VLAN10
em0   09:49:19.207255 00:26:0a:27:d6:00 > 00:50:56:a8:de:54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32212, offset 0, flags [none], proto ICMP (1), length 60)
VLAN10
em0   09:49:24.206931 00:26:0a:27:d6:00 > 00:50:56:a8:de:54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32213, offset 0, flags [none], proto ICMP (1), length 60)
VLAN10
em0   09:49:29.206841 00:26:0a:27:d6:00 > 00:50:56:a8:de:54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32214, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1   09:49:14.273756 00:50:56:a8:47:5c > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 10.1.204.108 tell 91.221.51.240, length 28
WAN
em1   09:49:14.274354 00:26:0a:27:d6:00 > 00:50:56:a8:47:5c, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Reply 10.1.204.108 is-at 00:26:0a:27:d6:00, length 46
    10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46613, length 40
    10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46614, length 40
    10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46615, length 40
    10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46616, length 40
WAN
em1   09:49:14.274394 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32211, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1   09:49:19.207418 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32212, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1   09:49:24.207103 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32213, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1   09:49:29.206921 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32214, offset 0, flags [none], proto ICMP (1), length 60)
#4
19.7 Legacy Series / Re: NAT before IPSEC tunnel, not working?
August 19, 2019, 07:57:28 AM
A ping from firewall VLAN32 interface (10.222.8.4) work, but when I use same interface address or any other address in 10.222.0.0/16 for translation, then I can't ping
#5
19.7 Legacy Series / Re: NAT before IPSEC tunnel, not working?
August 16, 2019, 10:19:31 AM
please find attached a packet capture . Ping done from a server 10.220.2.13 and it's being translated to 10.222.8.4, but the packet towards 10.1.204.108 is not being tunneled.

I have tried to do 2 configs. Both configs are outbound nat

WAN as outgoing interface (packet capture WAN)
IPSEC as outgoing interface (packet capture IPSEC)

PACKET CAPTURE WAN:
VLAN10
em0   09:29:01.766196 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32194, offset 0, flags [none], proto ICMP (1), length 60)
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43537, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43538, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43539, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43540, length 40
VLAN10
em0   09:29:06.475942 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32195, offset 0, flags [none], proto ICMP (1), length 60)
VLAN10
em0   09:29:11.465461 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32196, offset 0, flags [none], proto ICMP (1), length 60)
VLAN10
em0   09:29:16.475901 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32197, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1   09:29:01.766572 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32194, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1
10.222.8.4 > 10.1.204.108: ICMP echo request, id 8203, seq 43537, length 40
10.222.8.4 > 10.1.204.108: ICMP echo request, id 8203, seq 43538, length 40
10.222.8.4 > 10.1.204.108: ICMP echo request, id 8203, seq 43539, length 40
10.222.8.4 > 10.1.204.108: ICMP echo request, id 8203, seq 43540, length 40
WAN
em1   09:29:06.476327 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32195, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1   09:29:11.465774 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32196, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1   09:29:16.476087 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32197, offset 0, flags [none], proto ICMP (1), length 60)


PACKET CAPTURE IPSEC:
VLAN10
em0   09:36:51.695292 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32198, offset 0, flags [none], proto ICMP (1), length 60)
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43547, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43548, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43549, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43550, length 40
VLAN10
em0   09:36:56.466359 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32199, offset 0, flags [none], proto ICMP (1), length 60)
VLAN10
em0   09:37:01.483428 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32200, offset 0, flags [none], proto ICMP (1), length 60)
VLAN10
em0   09:37:06.466768 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32201, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1   09:36:51.695470 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32198, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43547, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43548, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43549, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43550, length 40
WAN
em1   09:36:56.466440 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32199, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1   09:37:01.483573 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32200, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1   09:37:06.466915 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32201, offset 0, flags [none], proto ICMP (1), length 60)

in below image, test is 10.220.2.13 - Salling group is 10.1.204.108 - VLAN32_NAT_INTERFACE is 10.222.8.4
#6
19.7 Legacy Series / Re: NAT before IPSEC tunnel, not working?
August 16, 2019, 10:16:32 AM
I litle more explanation
It's an existing tunnel, My end 10.222.0.0/16 remote end 10.1.204.0/24
I have a server in my end coming from 10.220.2.72 which I translate to 10.222.8.4. If I ping from the local server and do a packet capture on WAN interface , then I can see the translated addr. towards the server I try to reach (10.1.204.108).

firewall interfaces:
VLAN 10 (10.220.0.9/22
VLAN 32 (10.222.8.4/22)
WAN

My local server is comming via VLAN 10 and is being translated to interface addr. on VLAN 32.
#7
19.7 Legacy Series / NAT before IPSEC tunnel, not working?
August 15, 2019, 07:44:32 AM
Is this still a problem ?

I need to NAT an address before sending it through an IPSEC tunnel, but I can't get it to work. According to packet capture it seems that NAT is done, but it's not being tunneled afterwards.

Rgds,
Jesper
#8
19.1 Legacy Series / Re: Nat not working
July 30, 2019, 04:47:02 PM
Have anyone had the same problem and have found a solution???
#9
General Discussion / Re: IPSec tunnel not working with NAT
July 30, 2019, 04:34:55 PM
No, I haven't found a solution
#10
19.1 Legacy Series / Nat not working
July 19, 2019, 07:23:41 AM
Hi all,

I have an issue.

Firewall is running 19.1.4

On my firewall I have 3 interfaces:
VLAN10 (10.220.0.0/16) interface address 10.220.0.9
VLAN32 (10.222.0.0/16) interface address 10.222.8.4
WAN

I have a source address (10.220.2.75) comming from VLAN10, and I need it to be translated to an address on VLAN32 (10.222.10.251 or VLAN32 interface address) and run it throuh an IPSEC tunnel.

I can't get this to work. I have tryed to do both one-to-one and outbound nat.


In picture attached is:
- KACE (10.220.2.75)
- Salling_group (IP address that should be reached through IPSEC tunnel. I have also tryed to have WAN address, but still the same)
- VLAN_32_NAT_INTERFACE (VLAN32 interface address as an alias)


Any surggestions ?

Thanks in advance

Rgds,
Jesper
#11
General Discussion / IPSec tunnel not working with NAT
September 06, 2018, 12:46:14 PM
Hi all,

I'm trying to setup a IPSec towards a customer, but I can't get it to work. The tunnel comes up (both Phase1 and 2), but no traffic is being tunneled.

I have created an outbound NAT rule, that hides all hosts on Vlan 32 (10.222.8.0/22) dest. 10.38.134.48/32  behind a public IP (xxx.xxx.51.239)

Local subnets   SPI(s)   Remote subnets   State   Stats
xxx.xxx.51.239/32   in : caa4e040
out : 581e3f33   10.38.134.48/32   INSTALLED
Routed   Time : 590
Bytes in : 0
Bytes out : 0

It also says that route is installed, but I can't see the route under Routes --> status. I can see routes for the other IPSec tunnels running on this firewall, but not this one (this is the only tunnel where NAT is used)

If I try to do a ping from interface addr, on Vlan32, then I would expect that the "bytes out" counter will increase, but this is not the case. There is no traffic seen on the firewall in remote end.

The following versions is running on the firewall:
OPNsense 18.1.5-amd64
FreeBSD 11.1-RELEASE-p8
OpenSSL 1.0.2n 7 Dec 2017


Any idea what could be wrong ?
Pages1