IPsec - 1-to-1-BINAT not receiving TCP packages back

[benni.mack]

Hey everyone,

after some days and nights figuring out what my problem is, I hope to find some pointers / answers here:

I want to connect from any machines of my local network behind Opnsense as my main router to defined remote servers via IPsec.

I set up a IPsec ESP Tunnel Mode with a remote network. The connection / tunnel is established, and phase1/phase 2 are running properly.

My requirements are exactly as documented here https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html, except that only my opnsense is doing BINAT and not the other side as they do not need this (Cisco ASA 5545-X). The remote company sent me the details that their remote network (10.190.0.0/16 - this is where need to access servers) is only allowed to sent to 10.160.50.0/24 - so I configured IPsec to establish a tunnel between these two networks.

=> My public IP 1.2.3.4
=> My local office IP net is 192.168.1.0/24

Also: NAT Traversal is enabled on phase 1, and "install policies" and "install routes" is also enabled.

First hurdle (which I managed) was to add my local office IP net to the "Manual SPD entries" in phase 2. As soon as I add this, I can see outgoing traffic (via tcpdump on opnsense) but no incoming traffic.

So, I assumed to set up a One-To-One BINAT with 192.168.1.0/24 as in source network, the remote network (10.190.0.0/16) as destination and the external network defined as 10.160.50.0/24 the one doing the NAT.

Once I set the One-To-One NAT on the IPsec interface, I can at least ping a server on the remote VPN, and I get a response back (echo response) from the server in the remote network. However, the tcpdump does not show the translated IP in the "enc0" interface but the original IP, which I found a bit odd, and it's where I assume the issue resides: I cannot connect via TCP on e.g. HTTPS/SSH. Crazy enough, if I use the proprietary Cisco AnyConnect into their servers, I can do a curl request with a proper response. So I figure this needs to be something on my side that I misconfigured, or missing that the NAT is not doing properly, as the remote servers cannot "talk back".

So my assumptions are either 1-to-1-NAT via IPsec only works if I both parties to 1-to-1-NAT (which I would find odd?) or that the BINAT is not doing its job before the packages are sent over IPsec?

Would appreciate any kind of help!

Thanks in advance.
Benni.

[mimugmail]

Do you use multiple SAs?

[benni.mack]

Do you use multiple SAs?

I did not set up any SAs manually, just used the config from opnsense directly ("Install Policy"), and the Securtiy Association Database contains two entries (both ESP). Phase 1 is based on a mutual PSK.

I hope I understood your question correctly.

[mimugmail]

I meant multiple Phase2

[benni.mack]

I meant multiple Phase2

Ah, I see. Bo, no multiple Phase 2's. Very basic and straightforward. One thing I wondered was if I need the "NAT Traversal" Option in the IPsec configuration to be the same on both sides, or only on the side which receives or sends via NAT... Maybe that's a thing to consider?

[mimugmail]

Sorry, I reread the thread again, tcpdump regarding Nat in IPsec shows packets prior rewriting (compared to usual interfaces). This also took ne some time back in the days. I think it's safe now to ask other side if they see dropped packets

[benni.mack]

Thanks, I will ask for details on package sending from the other side today and keep you posted!