IPSEC TUNNEL and BINAT

[fixit]

Hello,
I have a remote network 192.168.0.1 that I want to access through an IPSEC tunnel. To avoid interfering with my local network, I need to make NAT of this remote network. I think it's 1to1.
Here is a diagram to explain:
LOCAL                       IPSEC                  REMOTE
ME 192.168.2.0 <------------------> 10.75.10.0/24:192.168.0.0/24 ----

I configured the tunnel
CONF VPN REMOTE:
subnet local 10.75.10.0 remote subnet 192.168.2.0
CONF LOCAL VPN:
subnet local: 192.168.2.0 remote subnet: 10.75.10.0


I created 1: 1 NAT rules to associate the subnet 10.75.10.0 to 192.168.0.0 on the WAN interface.
I created very permissive firewall rules that allow everything on the IPSEC interface over the WAN and the LAN.

But nothing to do nothing happens.
Do you have an idea ?

Best regards,
Ben

[mimugmail]

Is your setup related to this?

https://wiki.opnsense.org/manual/how-tos/ipsec-s2s-binat.html

[mikehps]

Hi,
I've the same problem:

Local LAN: 192.168.100.0/24
Local Subnet Phase 2: 188.93.252.132/30
Remote Subnet Phase 2: 188.93.251.0/24

Tunnel is up and working

BINAT 1:1 Rule on IPSEC Interface
External: 188.93.252.134/32
Source: 192.168.100.11/32
Destination: 188.93.251.37/32

No manual SPD Entries.

Do I have a Config mistake?
regards
Michael

[bartjsmit]

Hi Ben,

To avoid interfering with my local network, I need to make NAT of this remote network. I think it's 1to1.

If you mean by interference that there are subnets on either side that overlap, then a 1:1 NAT won't help you. You would need to apply a separate NAT for any host on the far end.

Are there any conflicts?

Bart...

[mimugmail]

No manual SPD Entries.

Did you read the link from the official docs above?

[mikehps]

jup,
I tried:

* 192.168.100.11/32 as SPD -> not working

Maybe its a problem with routing table? If I try to reach  188.93.251.37/32 the FW logs show Interface WAN (I think it should go through interface IPSEC?)

is it because the phase 2 IPs are official IPs and not private ones?

[mimugmail]

It would be better you start an own thread with all details and not hijack this one

[fixit]

Hello,
Thanks for your answers.
@mimugmail : Yes it is my configuration type.
I try with this configuration, but It does not works:

VPN is UP
On remote site, i have take SDP to my local network, ie: 192.168.0.0/24,
Phase2 Remote 192.168.2.0    local 10.75.10.1
I take 1:1 rule:     IPsec    10.75.10.1/24    192.168.0.1/24    *
I have allowed all traffic in LAN, IPSEC interfaces.

When I ping a machine (10.75.15.18)  from local site my remote site I see ping arrived in remote machine (but I don't have response):
Ping:  src:   192.168.2.94     dst:  192.168.0.18

And If I ping in my remote machine the local machine (ping 192.168.2.94), it's failed too.
I think I have a problem with routes for the back route.
What is wrong ? Maybe I do add a static route ?

@bartjsmit:   Nothing happens if I create NAT rules, I even get an error on which tells me that ip does not exist? Do I have to create a "LAN" network interface in order to assign NAT rules to it? A virtual ip? In this case I dont use SDP ?

Thanks for you help,

Regards,
Ben