Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - wtelese

Pages1
#1
Virtual private networks / NAT 1:1 over IPSec
January 19, 2023, 11:33:26 AM
Good morning,
Could you give me a hand on configuring a NAT 1:1 Over IPSec

Site A: Caller
Site B: OPNSense

OPNSense LAN 192.168.200.254
LAN IP Server 192.168.200.1 with Gateway 192.168.200.254

This is the situation
IPSec tunnel successfully created both Phase1 and Phase2
Internal LAN Site A - 172.17.50.192/28
Internal LAN Site B - 172.17.52.80/28

Site A calls via IP 172.17.50.206 the IP address 172.17.52.80 which must be natted 1:1 on the IP 192.168.200.1

I created a Virtual LAN address 172.17.52.80/28

Then I ran the following tests
TEST 1 - 1:1 NAT
Interface: WAN
ExternalIP: 172.17.52.80
InternalIP: 192.168.200.1/32
DestinationIP: Any

TEST 2 - 1:1 NAT
Interface: LAN
ExternalIP: 172.17.52.80
InternalIP: 192.168.200.1/32
DestinationIP: Any

TEST 3 - 1:1 NAT
Interface: LAN
ExternalIP: 172.17.50.206
InternalIP: 172.17.52.80/32
DestinationIP: Any

TEST 4 - 1:1 NAT
Interface: LAN
ExternalIP: 172.17.50.206
InternalIP: 172.17.52.80/32
DestinationIP: 192.168.200.1/32

Nothing works unfortunately ... and I can't figure out where I'm going wrong.
I read on some forums that the "Block bogon networks" and "Block private networks" items had to be disabled in the WAN interface ... I also removed those flags!

Unfortunately I still don't receive traffic from the IP 172.17.50.206 as expected !

Thanks to anyone who can help me.
#2
Italian - Italiano / NAT 1:1
January 19, 2023, 11:31:24 AM
Buongiorno,
potreste darmi una mano sulla configurazione di un NAT 1:1 Over IPSec

Site A: Chiamante
Site B: OPNSense

OPNSense LAN 192.168.200.254
Server IP LAN 192.168.200.1 con Gateway 192.168.200.1

Questo è la situazione
Tunnel IPSec creato correttamente sia Fase1 che Fase 2
LAN Interna Site A - 172.17.50.192/28
LNA Interna Site B - 172.17.52.80/28

Site A chiama tramite IP 172.17.50.206 l'indirizzo IP 172.17.52.80 che deve essere nattato 1:1 sull'IP 192.168.200.1

Ho creato un indirizzo Virtuale LAN 172.17.52.80/28

Poi ho eseguito le seguenti prove
PROVA 1 - NAT 1:1
Interface: WAN
ExternalIP: 172.17.52.80
InternalIP: 192.168.200.1/32
DestinationIP: Any

PROVA 2 - NAT 1:1
Interface: LAN
ExternalIP: 172.17.52.80
InternalIP: 192.168.200.1/32
DestinationIP: Any

PROVA 3 - NAT 1:1
Interface: LAN
ExternalIP: 172.17.50.206
InternalIP: 172.17.52.80/32
DestinationIP: Any

PROVA 4 - NAT 1:1
Interface: LAN
ExternalIP: 172.17.50.206
InternalIP: 172.17.52.80/32
DestinationIP: 192.168.200.1/32

Non funziona nulla purtroppo ... e non riesco a capire dove sto sbagliando.
Ho letto su qualche forum che nell'interfaccia WAN andava disabilitata la voce "Block bogon networks" e "Block private networks" ... ho eliminato anche quei flag!

Purtroppo continuo a non ricevere traffico dall'IP 172.17.50.206 come previsto !

Grazie a chi mi saprà dare aiuto.
#3
Virtual private networks / Urgent if possibile - IPSEC Nat - HELP!!
November 17, 2022, 07:47:06 PM
Hello to everyone,
i've a customers that come to my firewall with VPN IPSEC

SITE A -> WAN 1.2.3.4 LAN 192.168.2.0/24
SITE B -> WAN 4.3.2.1 LAN 172.10.50.80/28

Phase1 - OK!
Phase 2 - Customer - Site B is behind NAT and tould me this parameters
REMOTE IP SITE B 4.3.2.1
PRIVATE SUBNET SITE B 172.10.50.80/28
REMOTE IP SITE A 1.2.3.4
PRIVATE SUBNET SITE A 172.10.52.80/28

In the Phase 2 these are the set parameters
LOCALNETWORK Network 172.17.52.80/28
REMOTENETWORK Network 172.17.50.80/28
Manual SPD Entries 192.168.2.0./24

After i've created a NAT One-to-One
TYPE NAT
EXTERNAL NETWORK 172.17.52.80/28
SOURCE NETWORK 192.168.2.0/24
DESTINATION NETWORK 172.17.50.80/28

BUT ... DO NOT FUNCTION!!

in the LOG the error is

Quotetraffic selectors 172.17.52.80/28 === 172.17.50.192/28 unacceptable

Where am I doing wrong? What the wrong parameter?
Can you help me please.
#4
Italian - Italiano / IPSEC Nat - AIUTO!!
November 17, 2022, 07:36:32 PM
Ciao a tutti,
ho un dubbio atroce ... ho un cliente che si connette al mio firewall con VPN IPSec

SITO A -> WAN 1.2.3.4 LAN 192.168.2.0/24
SITO B -> WAN 4.3.2.1 LAN 172.10.50.80/28

Per quanto riguarda la FASE1 nessun problema, IPSec viene su, mentre per la fase 2, essendo il SITO B dietro NAT è come se si presentassero con LAN 172.10.52.80/28

Infatti nel LOG viene fuori l'errore
Quotetraffic selectors 172.17.52.80/28 === 172.17.50.192/28 unacceptable

Nella fase 2 nel SITO A (il mio) ho impostato quanto segue
LOCALNETWORK Network 172.17.52.80/28
REMOTENETWORK Network 172.17.50.80/28
Manual SPD Entries 192.168.2.0./24

Poi ho creato un NAT One-to-One
TYPE NAT
EXTERNAL NETWORK 172.17.52.80/28
SOURCE NETWORK 192.168.2.0/24
DESTINATION NETWORK 172.17.50.80/28

Dove sto sbagliando? Qualche anima gentile che possa aiutarmi? Grazie
Pages1