Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
18.1 Legacy Series
»
Updated IPSec with BiNAT walk-through needed?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Updated IPSec with BiNAT walk-through needed? (Read 4564 times)
anomaly0617
Jr. Member
Posts: 50
Karma: 0
Updated IPSec with BiNAT walk-through needed?
«
on:
February 12, 2018, 11:16:52 pm »
Hi all!,
Long time monowall/pf/OPNSense user here. I'm a network engineer for a managed service provider in Ohio.
I'm converting firewalls at customers from using pfSense to OPNSense as upgrades are required. I've discovered something through trial and error, but need to know if it's the proper way to be doing things...
For customers, we use BiNAT VPN tunnels extensively. This is because it's incredibly common to run into customers with 192.168.1.0/24 networks or 192.168.0.0/24 networks, and we need to be able to monitor their stuff over an encrypted tunnel from our office. We utilize rules on our side so they can only see the network monitoring server and everything else is blocked. On our side, however, I can see their whole subnet. So it's common for me to have a setup that looks like this:
Customer Side: 192.168.1.0/24 binat to 172.16.212.0/24
Our Side: 192.168.254.0/24 binat to 172.16.254.0/24
So the tunnel on their end is looking for a remote subnet of 172.16.254.0/24, and maintains a local subnet of 192.168.1.0/24 with BiNAT to 172.16.212.0/24.
The tunnel on our end is looking for a remote subnet of 172.16.212.0/24, and maintains a local subnet of 192.168.254.0/24.
On the customer's Firewall >> Rules >> IPSec it looks like IPv4 * * * * * (Allow IPSec Traffic)
On our end in Firewall >> Rules >> IPSec it looks quite different, only allowing customer VPNs to get to one IP address.
So the question became, how do I make this occur in OPNSense? The Phase 1 always establishes with no issue, it's always the Phase 2 that is broken. So, here's what I've tried so far on my Phase 2 Tunnel configuration:
I tried LocalNet as 192.168.1.0/24, RemoteNet as 172.16.254.0, and Manual SPD as 172.16.212.0/24. No joy.
I tried LocalNet as 172.16.212.0/24, RemoteNet as 172.16.254.0, and Manual SPD as 192.168.1.0/24. No joy.
I tried LocalNet as 192.168.1.0/24, RemoteNet as 172.16.254.0, and Manual SPD I left blank. I then tried going to Firewall >> Nat >> One-to-One >> Created a BiNAT that looks like IPSec, External is 172.16.212.0/24, Internal is 192.168.1.0/24, Dest. is Any.
This works, but it negates the documentation I see here
:
https://forum.opnsense.org/index.php?topic=989.0
https://github.com/opnsense/core/issues/369
So, is the issue just that we need an updated tutorial or documentation?
Thanks in advance!
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: Updated IPSec with BiNAT walk-through needed?
«
Reply #1 on:
February 28, 2018, 08:01:31 am »
Hi anomaly0617,
Yes, setup guide needs to be updated and moved to
https://docs.opnsense.org/
I'll make a note in the GitHub issue about this thread...
Cheers,
Franco
Logged
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: Updated IPSec with BiNAT walk-through needed?
«
Reply #2 on:
February 28, 2018, 08:22:29 am »
May I take your networks for official documentation?
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
18.1 Legacy Series
»
Updated IPSec with BiNAT walk-through needed?