Show Posts
16
Virtual private networks / Can't get NAT before IPsec to work
« on: April 12, 2021, 03:00:15 pm »
Hi all,
I have to migrate a VPN tunnel from another gateway to OPNsense which relies on NAT before IPsec. The tunnel looks like this:
LAN Customer site
--------------- NAT ----------------------- IPsec -----------------
|Network A | -----------------> |IP from Network B| -----------------> | Network C |
--------------- ----------------------- -----------------
This is a pretty common scenario in corporate environments. From what I've read, there were problems doing this with OPNsense in the past, but it should be possible with the current version 21.1.4 which I'm running.
In phase2, I have defined B as local network and C as remote network and I added network A as a manual SPD entry. The tunnel comes up fine, but my outbound NAT rule refuses to work when I bind it to the IPsec interface. When I bind the very same NAT rule to the WAN interface, traffic gets NATed as expected, but apparently it does not enter the tunnel.
Any idea what I am missing?
I have to migrate a VPN tunnel from another gateway to OPNsense which relies on NAT before IPsec. The tunnel looks like this:
LAN Customer site
--------------- NAT ----------------------- IPsec -----------------
|Network A | -----------------> |IP from Network B| -----------------> | Network C |
--------------- ----------------------- -----------------
This is a pretty common scenario in corporate environments. From what I've read, there were problems doing this with OPNsense in the past, but it should be possible with the current version 21.1.4 which I'm running.
In phase2, I have defined B as local network and C as remote network and I added network A as a manual SPD entry. The tunnel comes up fine, but my outbound NAT rule refuses to work when I bind it to the IPsec interface. When I bind the very same NAT rule to the WAN interface, traffic gets NATed as expected, but apparently it does not enter the tunnel.
Any idea what I am missing?