[Resolved] Unable to perform the Nat through IPSec

[athisesanr]

Hi Folks,

I have a question regarding IPsec with DANT and SNAT as below steps that I'm trying in OpnSense FW,

Let have steps are configured and checking the connections.,

- IPsec between Site A (OpnSense) to Site B (FortiGate)     (policy-base tunnel Up)
- Site A has a local network of 100.100.100.0/27
- Site B has a local network of 100.200.100.0/27
- Site A has a some vlan connectivity with their internal VLAN network (such 10.10.10.15)
- Site B want to connect 10.10.10.15 through the NAT ip of 100.100.100.10 - this ip chosen from Site B Local subnet free ip.
- ensured that Site A local subnet 100.100.100.0/27 have connectivity to 10.10.10.15
- Able to reach from Site B to Site A local subnet OpnSense configured ip such as interface ip and carp ip.
- Unable to reach from Site B to Site A IP of 100.100.100.10 which is nat to 10.10.10.15
- having port forward NAT (DNAT) on IPsec interface like below,
          (src-100.200.100.10 , dst-10.10.10.15 , translated-100.100.100.10)
- having outbound NAT (SNAT) on internal vlan interface like below,
          (src- 100.200.100.10,dst-100.100.100.10, tanslated-10.10.10.15)


so, checking the traffic, I can able to get the reply from vlan network but i couldn't ping from site B to opn internal vlan network via nat.

16:27:31.135755 IP 100.100.100.10 > 10.10.10.15: ICMP echo request, id 14098, seq 1628, length 64
16:27:31.136089 IP 10.10.10.15 > 100.100.100.10: ICMP echo reply, id 14098, seq 1628, length 64

Hence, I think, I miss somewhere in NAT, can anyone guide to me here.,

pls note all the interface rules are any-any.,

Thanks,


         

[athisesanr]

Hi All,

this issue got resolved post adding manual SPD of source ip reply from site B in ipsec.

lets I added like,  10.10.10.15/32 in manual SPD


Thanks all.,