(Source- ?) NAT before IPsec

Started by HolgerKuehn, February 23, 2025, 09:28:52 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 23, 2025, 09:28:52 PM
Hi guys,

I've been using OPNsense at home for quite some time, and could switch our old Zyxel Firewall at work with OPNsense at work recently. I had IPsec tunnels working for quite some time successfully, but had been able avoid NAT until now.

I need to set up a IPsec tunnel to a partner using the same local network as we are. So obviously some NAT had to be set up. Researching I found this post (https://forum.opnsense.org/index.php?topic=22605.0) but for the live in me, I could not get this to work. So I hope to get some input here.


The setup is the following

Code Select
-------------------------------------
-- local network - 172.28.0.0/16   --
--   local PC    - 172.28.200.106  --
-------------------------------------
             -
             -
-------------------------------------
--        Firewall                 --
--                                 --
--      NAT to 10.199.2.129        --
--                                 --
--    IPsec to 10.199.2.128/25     --
-------------------------------------
             -
             -
-------------------------------------
--       at partner                --
--       reaching to               --
--       10.199.2.2/32             --
-------------------------------------

The tunnel itself is configured and should work. Originally set up with source net 172.28.0.0/16 got packets send.


What do I need to configure to get packets send through this IPsec tunnel?

 - 172.28.200.106 sends RDP-packet with destination 10.199.2.2
 - 172.28.200.106 is NATed to 10.199.2.129
 - 10.199.2.129 sends RDP-packet through IPsec tunnel
 - is handled at partner site to reach 10.199.2.2 and NATed to 172.28.x.x

As far as I understood the documentation I found this is Outbound NAT and I configured it as follows

 - Firewall NAT Outbound
 - Interface             IPsec
 - TCP/IP                IPv4
 - Protocol              any
 - Source Address        172.28.200.106
 - Source Port           any
 - Destination Address   10.199.2.2/32
 - Destination Port      any
 - Translation / Target  10.199.2.129

The Hints state something about configuring Virtual IP addresses on the Interface first, but I've no possibility to define them on the Interface IPsec, as it is not listed there.

Any hints on what I am missing would be greatly appreciated. If I need to provide more info just let me know.
February 23, 2025, 09:36:55 PM #1
Hardware:
DEC740
Print
Go Up Pages1
User actions