Returning traffic not picked up by policy based VPN

Started by zemanek, October 25, 2024, 10:28:36 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 25, 2024, 10:28:36 AM
Hello,

I have following setup:

CLIENT----policy based IPsec----(enc0)-OPNsense-(vtnet0)----internal network

OPNsense has only one physical interface (WAN) (private IP + public IP) vtnet0. I have port forwarding on IPsec on port 8091 redirecting to internal network. I have full outbound NAT on both WAN and IPsec.

Now what I observed via packet capture:

enc0:
Client IP:41508 sends packet to OPNsense WAN private IP, port 8091 (SYN).

vtnet0:
OPNsense translates this into WAN private IP:53768--->internal network IP:443 (SYN)
internal network IP:443 replies to OPNsense WAN private IP:53768 (SYN, ACK)
OPNsense WAN IP:8091 replies to client IP:41508 (SYN, ACK)

but the OPNsense WAN IP:8091 to client IP:41508 (SYN, ACK) does not appear on IPsec (enc0) interface (I assume this packet goes out of OPNsense  via vtnet0 interface).

Why the VPN does not pick up this reply and does not send it through IPsec tunnel? What should I do?
October 25, 2024, 01:12:20 PM #1
I found something similar here: https://forum.opnsense.org/index.php?topic=16148.0

Maybe there is missing reply-to (either not added or lost in SNAT) ? Any workaround for it for policy-based VPN?
October 25, 2024, 04:53:15 PM #2
Quote from: zemanek on October 25, 2024, 10:28:36 AM
OPNsense has only one physical interface (WAN) (private IP + public IP) vtnet0. I have port forwarding on IPsec on port 8091 redirecting to internal network. I have full outbound NAT on both WAN and IPsec.
Can you give some more details on this, please?

You have an IPSec s2s to a remote site?

What do you forward? On the WAN private IP or on IPSec?

Can you post your rules and the capture?
October 30, 2024, 08:32:47 AM #3
Hello,

yes, it's IPsec S2S.

While the IPsec is connected to the public IP of the WAN interface, I am exposing WAN private IP to the tunnel (IPsec phase 2 CIDR/encryption domain).

DNAT rule:

   IPsec WAN    TCP    *    *    WAN address    8091    172.20.130.109    443 (HTTPS)

SNAT rules:

   WAN    any    *    *    *    WAN address    *    NO    SNAT everything 
        IPsec    any    *    *    *    WAN address    *    NO    SNAT everything 

Capture files can be downloaded from here (link valid for 7 days / 20 downloads):
https://upload.nolog.cz/download/8183ecb7fe2b7ac3/#vUwEzC2sDS19BKswp6sihA
Print
Go Up Pages1
User actions