IPSEC site to site tunnel with other side behind NAT

Started by ivica.glavocic, September 30, 2025, 10:00:06 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 30, 2025, 10:00:06 AM
I set up IPSEC site to site tunnel with OPNSense having public IP and NAT-ed Fortigate on the other site.
Fortigate is behind ISP router, its WAN has private IP, all necessary ports are forwarded from ISP router to Fortigate:

OPNSENSE (PUBLIC IP) ---- ISP (PUBLIC IP) --- Fortigate (Private IP)

With other devices, for IPSEC site to site tunnel to work, all it took was to setup remote (FG) ID as it's private IP.
With OPNSense I just can't make it work with same configuration. Log says:

looking for peer configs matching OPNSensePublicIP[%any]...ISPPublicIP[FGprivateIP]
no matching peer config found

What am I doing wrong?
October 01, 2025, 11:51:12 PM #1
So you set up a legacy IPSec?
Should consider that this is deprecated and will be not available anymore in future versions.

Quote from: ivica.glavocic on September 30, 2025, 10:00:06 AMWith other devices, for IPSEC site to site tunnel to work, all it took was to setup remote (FG) ID as it's private IP.
Don't know, what you did configure there.

Anyway you have to differ the remote gateway from the remote identify.
If the remote endpoint is behind a router you have to specify the routers public IP as remote gateway. But the remote identifier could be something else like the local IP of the Fortigate (probably default).

If the remote site is sending its local IP as identifier you have to specify this in your setup. Or try to set the identifier to "automatic".
October 02, 2025, 09:55:49 AM #2
Nope, I set up new routed version of IPSEC (VTI, PSK, Conn, Gw, Route).

Remote router is sending its private WAN address 192.168.0.254 as remote ID.
Can you please tell me where do I put remote ID info OPNSense IPSEC configuration?
I put remote ID in PSK and Connections - Remote Authentication, tunnel is down.
October 02, 2025, 12:48:29 PM #3
Assuming, you use Pre-Share Key, so first you have to define the key in VPN: IPsec: Pre-Shared Keys
Here you can stated the local and the remote identifier. If the remote site uses its local IP, enter it here.

Then in VPN: IPsec: Connections > Remote Authentication select the Pre-Shared key at Connection, "Pre-Shared key" at Authentication and also state the remote ID (local IP).
October 02, 2025, 03:19:37 PM #4
Done exactly all of that, not working.

Log has a strange entry:
looking for peer configs matching opnsense.public.ip[%any]...remote.public.ip[remote.c-class.id] - no matching peer config found

Why is opnsense trying to match %any as ID with its public IP, when in config (Preshared Key and Connections - Local Authentication) opnsense.public.ip is entered as local ID?
Print
Go Up Pages1
User actions