SOLVED: Port forward behind IPSEC tunnel issues

[Manini]

Good Day,
i have an issue i can't understand where the problem could be.

src 10.1.1.0/24 -> IPSEC Tunnel -> local 172.21.101.0/24 this part works without issues.

Code Select Expand

# /sbin/ping -S '172.21.101.254' -c '3' '10.1.1.109'
PING 10.1.1.109 (10.1.1.109) from 172.21.101.254: 56 data bytes
64 bytes from 10.1.1.109: icmp_seq=0 ttl=127 time=30.058 ms
64 bytes from 10.1.1.109: icmp_seq=1 ttl=127 time=29.573 ms
64 bytes from 10.1.1.109: icmp_seq=2 ttl=127 time=29.568 ms

--- 10.1.1.109 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 29.568/29.733/30.058/0.230 ms

behind the local 172.21.101.0/24 network there is a gateway 172.21.101.1 having routes to my destination 192.168.162.95

reaching the system from the firewall is not an issue

Code Select Expand

root@OPNsense:~ # ssh -b 172.21.101.254 192.168.162.95
The authenticity of host '192.168.162.95 (192.168.162.95)' can't be established.
ECDSA key fingerprint is SHA256:Yv8S/Po2DfZu66ws8YU8s9h/woGgBsjUrOD47qJ1kuM.
No matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no/[fingerprint])? ^C
root@OPNsense:~ #


Now i wanted to create port forwarding so that traffic from the remote network 10.1.1.0/24 can reach the target 192.168.162.95.

Code Select Expand

Interface Proto Address Ports Address Ports IP           Ports
IPsec            TCP *         * LAN net 5555 192.168.162.95 22 (SSH)

My goal i hit port 5555 on the LAN Address with my SSH connection to get to my target.

And if a run a packet capture that is exactly what is happening.

Code Select Expand


Interface Capture output
enc0
enc0 14:46:53.675703 (authentic,confidential): SPI 0xcaa31154: IP 10.1.1.109.49873 > 172.21.101.254.5555: tcp 0
LAN
xn1 14:46:53.675738 IP 10.1.1.109.49873 > 192.168.162.95.22: tcp 0


But this is where it gets wierd. I can see that the LAN interface is forwarding the packet to the right destination. But the source is the original not the firewall. Now i have read in some posts that in packet captures the source gets no translated. But i'm not sure if that is correct.

So that would mean i need outbound nat to use source nat to change all source ips going out the LAN interface.

Code Select Expand


enc0
enc0 14:55:02.325863 (authentic,confidential): SPI 0xcaa31154: IP 10.1.1.109.49949 > 172.21.101.254.5555: tcp 0
enc0
enc0 14:55:05.325635 (authentic,confidential): SPI 0xcaa31154: IP 10.1.1.109.49949 > 172.21.101.254.5555: tcp 0
LAN
xn1 14:55:02.325899 IP 172.21.101.254.12429 > 192.168.162.95.22: tcp 0
LAN
xn1 14:55:02.326378 IP 192.168.162.95.22 > 172.21.101.254.12429: tcp 0
LAN
xn1 14:55:03.355919 IP 192.168.162.95.22 > 172.21.101.254.12429: tcp 0
LAN
xn1 14:55:05.272145 ARP, Request who-has 172.21.101.254 tell 172.21.101.1, length 42
LAN
xn1 14:55:05.272154 ARP, Reply 172.21.101.254 is-at 06:b9:6a:bb:c8:e4, length 28
LAN
xn1 14:55:05.325658 IP 172.21.101.254.12429 > 192.168.162.95.22: tcp 0
LAN
xn1 14:55:05.326165 IP 192.168.162.95.22 > 172.21.101.254.12429: tcp 0
LAN
xn1 14:55:07.355896 IP 192.168.162.95.22 > 172.21.101.254.12429: tcp 0


looks way better but i still get no connection. I can see that the connection has reached the right target but the return traffic does not go any further that the LAN interface. I assume there are issues getting to the original source and this is where i'm stuck.

[chemlud]

reboot and retry, maybe? :-)

[Manini]

reboot and retry, maybe? :-)

Nope did not work  :)

[Manini]

Solved
Destination network needed to be added under Manual SPD entries in IPSEC Phase 2 settings for anyone stuck with a similar problem.