Opnsense as a Gateway for IPSec Roadwarrior (NAT issue)

[schnipp]

Today I have extended my Roadwarrior IPSec connection to use the Opnsense as a Gateway to the Internet. What I have done so far:

• I added am additional phase2 entry for Internet routable destination addresses
• I added an appropriate Firewall rule to route the incoming IPSec packets to the Internet

I was wondering that communication to the Internet did not work. Some investigation showed up that the IPSec interface is not covered by the automatic NAT rule creation, so the Firewall routed the packets to the Internet without replacing the private source address with the address of the WAN interface.

So I applied a corresponding NAT rule to adjust the packets for proper routing through the internet. But Internet access did not work either.

Some more investigation showed up that manually added and applied NAT rules only take effect after restarting the WAN connection.

So my question is whether this a bug or a correct behaviour. In the latter case, it would be a good idea to give the user a hint to reconnect after applying new NAT rules.

[lambrusco]

Hi, could you please explain better the steps?
I added the NAT and I see that in the logs my local VPN is getting NATted but somehow the packet is not routed back to the IPSec interface and I cannot connect to external IPs.

Thanks

[greY]

hmm I'm facing the same behavior with the IPSec...

[schnipp]

@lambrusco:
If incoming VPN packets on the IPsec interface get NATed on the WAN interface, everything should be fine. How did you notice, that NATing works fine?

Could you you please post the following details:

• IPSec network address range
• NAT rule

[alh]

I changed my phase2 subnet to 0.0.0.0/0 and added a NAT rule on my WAN for all traffic coming from my IPsec subnet. Still iOS clients cannot access the Internet. Did anyone get this working?

[schnipp]

Best way to start identifying the issue is do a packet dump of the IPSEC interface and review with wireshark.