Messages

31

17.7 Legacy Series / Re: Unable to configure Peer ID for mobile IPsec

« on: March 30, 2018, 04:06:05 am »

FYI, +1 on this end for rolling back to show/use Peer Identifier / Group address. Couldn't make it work without it, and then once I ran the rollback patch on 18.1.5, it worked.

32

General Discussion / Re: Still pretty mixed up on BiNAT over Phase 2 Tunnels

« on: March 06, 2018, 11:09:11 pm »

This was EXACTLY the fix I needed. Thank you! Please update the documentation with the linked help?

33

General Discussion / Still pretty mixed up on BiNAT over Phase 2 Tunnels

« on: March 06, 2018, 06:36:36 pm »

Hi there,

I'm still struggling to implement BiNAT over various IPSec Phase 2 tunnels. Here's how it's handled in pfSense:

Mode: Local Network
Type: LAN Subnet (Mine is 192.168.121.0/24)
Address: [Blank]
NAT/BiNAT Translation Type: Network
NAT/BiNAT Network: 172.16.254.0/24
Remote Network Type: Network
Remote Network Address: 172.16.246.0/24

So, whenever traffic goes out to the 246 network, it should appear to come from 172.16.254.[ip]
Whenever traffic comes in from the 246 network, it should appear to come from 172.16.246.[ip], even though on their end it's likely something like 192.168.1.[ip], and we have BiNAT set up there too.

Lastly (and most importantly) Whenever traffic comes goes out to the 10.0.143.0/24 network, it should appear to come from 192.168.121.0/24 because that is a branch office and it has no BiNAT defined in the Phase 2. There's no chance of a conflict and therefore no need to BiNAT.

If I try the same thing in OPNSense, it looks like this:

Mode: Tunnel IPv4
Description: Customer Name
Local Network Type: Network
Local Network Address: 172.16.246.0/24
Remote Network Type: Network
Remote Network Address: 172.16.254.0/24

Then I create a rule in Firewall >> Nat >> One to One
Interface: IPSec
External IP: 172.16.254.0/24
Internal IP: 192.168.121.0/24
Destination IP: * (Any)

... but this takes over all IPSec traffic going out and makes it appear to come from 172.16.254.0/24 in the firewall logs.

Is there a way to just set BiNAT settings in the Phase 2 settings and be done with it?

34

18.1 Legacy Series / Updated IPSec with BiNAT walk-through needed?

« on: February 12, 2018, 11:16:52 pm »

Hi all!,

Long time monowall/pf/OPNSense user here. I'm a network engineer for a managed service provider in Ohio.

I'm converting firewalls at customers from using pfSense to OPNSense as upgrades are required. I've discovered something through trial and error, but need to know if it's the proper way to be doing things...

For customers, we use BiNAT VPN tunnels extensively. This is because it's incredibly common to run into customers with 192.168.1.0/24 networks or 192.168.0.0/24 networks, and we need to be able to monitor their stuff over an encrypted tunnel from our office. We utilize rules on our side so they can only see the network monitoring server and everything else is blocked. On our side, however, I can see their whole subnet. So it's common for me to have a setup that looks like this:

Customer Side: 192.168.1.0/24 binat to 172.16.212.0/24
Our Side: 192.168.254.0/24 binat to 172.16.254.0/24

So the tunnel on their end is looking for a remote subnet of 172.16.254.0/24, and maintains a local subnet of 192.168.1.0/24 with BiNAT to 172.16.212.0/24.

The tunnel on our end is looking for a remote subnet of 172.16.212.0/24, and maintains a local subnet of 192.168.254.0/24.

On the customer's Firewall >> Rules >> IPSec it looks like IPv4 * * * * * (Allow IPSec Traffic)

On our end in Firewall >> Rules >> IPSec it looks quite different, only allowing customer VPNs to get to one IP address. 

So the question became, how do I make this occur in OPNSense? The Phase 1 always establishes with no issue, it's always the Phase 2 that is broken. So, here's what I've tried so far on my Phase 2 Tunnel configuration:

• I tried LocalNet as 192.168.1.0/24, RemoteNet as 172.16.254.0, and Manual SPD as 172.16.212.0/24. No joy.
• I tried LocalNet as 172.16.212.0/24, RemoteNet as 172.16.254.0, and Manual SPD as 192.168.1.0/24. No joy.
• I tried LocalNet as 192.168.1.0/24, RemoteNet as 172.16.254.0, and Manual SPD I left blank. I then tried going to Firewall >> Nat >> One-to-One >> Created a BiNAT that looks like IPSec, External is 172.16.212.0/24, Internal is 192.168.1.0/24, Dest. is Any. This works, but it negates the documentation I see here:
  https://forum.opnsense.org/index.php?topic=989.0
  https://github.com/opnsense/core/issues/369

So, is the issue just that we need an updated tutorial or documentation?

Thanks in advance!