NAT before IPSEC - Bug??

Started by olest, May 24, 2019, 11:18:54 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 24, 2019, 11:18:54 AM
Hi,

I have tried to setup NAT before IPSEC.

Followed this how to doc:
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html

Is it not working with 19.1?

I havn't tried with 18.7.

(tested with a pfSense instead of my opnsense box and then it is working)
May 24, 2019, 12:32:29 PM #1
I have two machines with 19.1.4 where it's running fine, must be a configuration issue.
More detail about setup and error please
May 24, 2019, 12:45:54 PM #2 Last Edit: May 24, 2019, 12:47:25 PM by olest
LAN network: 192.168.17.0/24
OPNsense 19.1.7 - could it be kernel changes since 19.1.4?

IPSEC Phase 2 (tunnel up):
local network 10.222.15.0/24
remote network: 192.168.11.0/24
Manual SPD: 192.168.17.0/24

NAT 1:1:
Interface IPSEC
Type: BINAT
External network: 10.222.15.0/24
Source: 192.168.17.0/24
Destination: 192.168.11.0/24

Firewall:
Default LAN allow all rule.

I cannot ping 192.168.11.244 from 192.168.17.101 using the OPNsense firewall.

--
With pfSense I use:
Phase 2:
local network: 192.168.17.0/24
BINAT translation: 10.222.15.0/24
remote network: 192.168.11.0/24
May 24, 2019, 08:17:57 PM #3
tcpdump on enc0 please
May 24, 2019, 08:56:42 PM #4
I get nothing when I use "tdpdump -i enc0" and ping 192.168.11.244.

(tested with other tunnels with no NAT and the I see the trafic with tcpdump)
May 24, 2019, 08:58:49 PM #5
tcpdump at LAN interface igb1 I get:
20:57:51.045693 IP 192.168.17.101 > 192.168.11.244: ICMP echo request, id 1, seq 36150, length 40
May 24, 2019, 09:04:17 PM #6
Consider me amazed if this is not VTI and pfSense works but you're using ping without -S parameter which would indicate the opposite.

IPsec (non-VTI) needs -S for the source address and IPsec said source address to accept traffic into the tunnel. Always.

# ping 192.168.77.1
PING 192.168.77.1 (192.168.77.1): 56 data bytes
^C
--- 192.168.77.1 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
# ping -S 10.0.0.1 192.168.77.1
PING 192.168.77.1 (192.168.77.1) from 10.0.0.1: 56 data bytes
64 bytes from 192.168.77.1: icmp_seq=1 ttl=255 time=56.350 ms
64 bytes from 192.168.77.1: icmp_seq=2 ttl=255 time=48.087 ms

IPsec from 10.0.0.1 -> 192.16.77.1


Cheers,
Franco
May 24, 2019, 09:15:26 PM #7
Not sure what you mean or what you what me to test.

Quote from: franco on May 24, 2019, 09:04:17 PM
Consider me amazed if this is not VTI and pfSense works but you're using ping without -S parameter which would indicate the opposite.

IPsec (non-VTI) needs -S for the source address and IPsec said source address to accept traffic into the tunnel. Always.

# ping 192.168.77.1
PING 192.168.77.1 (192.168.77.1): 56 data bytes
^C
--- 192.168.77.1 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
# ping -S 10.0.0.1 192.168.77.1
PING 192.168.77.1 (192.168.77.1) from 10.0.0.1: 56 data bytes
64 bytes from 192.168.77.1: icmp_seq=1 ttl=255 time=56.350 ms
64 bytes from 192.168.77.1: icmp_seq=2 ttl=255 time=48.087 ms

IPsec from 10.0.0.1 -> 192.16.77.1


Cheers,
Franco
May 24, 2019, 09:20:51 PM #8
Only SPDs with 192.168.11.0/24 I see is:
192.168.11.0/24  10.222.15.0/24
10.222.15.0/24    192.168.11.0/24

Should there not be any entry for the manual SPD?
May 24, 2019, 09:22:41 PM #9
Can you try source in binat the LAN IP of the Firewall? Do you use FQDN for Peer address?
May 24, 2019, 09:31:06 PM #10
Remote gateway is an IP address.
Identifiers is "Distinguished name"
May 24, 2019, 10:16:58 PM #11
Can you check last comment if you are also affected?

https://github.com/opnsense/core/issues/1773
May 24, 2019, 10:28:50 PM #12
Not the same setup (I don't have any of the routers behind NAT) but same problem.

If I change Phase 1 Identifiers to use IP address instead of Distinguished name the NAT before IPSEC is working.

Why does it not work if I use other than IP address as my identifier/peer identifier?
Print
Go Up Pages1
User actions