Broken NAT trying to mask OpenVPN clients through IPsec tunnels?

[andrewhotlab]

Hi to all, I've the following scenario (a two nodes OPNsense HA cluster, serving as both OpenVPN c2s and IPsec s2s terminator):

OpenVPN clients (10.199.8.0/25) <--> OPNsense (LAN CARP VIP: 10.199.9.126/25) <--> IPsec remote site (192.168.170.0/24)

The IPsec remote site only knows the LAN network (10.199.9.0/25), neither I can add 10.199.8.0/25 in phase 2 (no co-operation from the other side, sigh!). For this reason, in accordance to documentation, I did the following tasks:

• added the network 10.199.8.0/25 to "Manual SPD entries" in IPsec tunnel's phase 2 config;
• created a NAT outbound rule to mask net 10.199.8.0/25 with address 10.199.9.126 on IPsec interface
  (nat on enc0 inet from 10.199.8.0/25 to 192.168.170.0/24 -> 10.199.10.126 port 1024:65535)

Now remote OpenVPN clients can connect to IPsec remote site, but about 90% of the traffic is lost, because it looks like that only the 1st and only a few following packets are actually natted to the destination! :(

You can look here after the evidence of the issue. I sent three ICMP echo requests from an OpenVPN client (10.199.8.46) to the host 192.168.170.1. Here is what the destination host sees:

Code Select Expand


17:37:07.691901 IP 10.199.10.126 > 192.168.170.1: ICMP echo request, id 9817, seq 0, length 64
17:37:07.691947 IP 192.168.170.1 > 10.199.10.126: ICMP echo reply, id 9817, seq 0, length 64
17:37:08.699266 IP 10.199.8.46 > 192.168.170.1: ICMP echo request, id 56334, seq 1, length 64
17:37:08.699309 IP 192.168.170.1 > 10.199.8.46: ICMP echo reply, id 56334, seq 1, length 64
17:37:09.700524 IP 10.199.8.46 > 192.168.170.1: ICMP echo request, id 56334, seq 2, length 64
17:37:09.700559 IP 192.168.170.1 > 10.199.8.46: ICMP echo reply, id 56334, seq 2, length 64

As you can read, only the first packet comes from the NAT IP (10.199.10.126), while the others seem to pass the firewall without any translation.

Anyone can help me to understand whether this is a bug, or I did something wrong in configuration?

Thanks for any reply!


As additional info: same problem if I use the private LAN IP of CARP node in that NAT rule, or if I use a BINAT 1:1 rule. I see the NAT translation in states table. All traffic is allowed between OpenVPN clients and IPsec remote site, and from LAN to IPsec remote site.

[andrewhotlab]

No bug, only a wrong configuration by me. Since I put the wrong subnet mask combination in the BINAT config, which was giving me the same error I obtained by using the Outbound NAT config, I had the impression that both of them didn't work... :(

I solved by following the explanation I read in this page: "NAT before IPSEC" (I didn't understand the concept by reading the official documentation at https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html on the first try).