IPSEC NAT

Started by mikehps, December 03, 2018, 11:12:57 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 03, 2018, 11:12:57 AM Last Edit: December 05, 2018, 10:03:30 AM by mikehps
Hi,

OpnSense 18.7.8 in place with the following Problem on an IPSEC site-to-site tunnel

IKEv1 Tunnel with two phase 2 Traffic Selectors:

Local LAN: 192.168.100.0/24
Local Subnet Phase 2: a.b.c.132/30
Remote Subnet Phase 2: x.y.z.0/24

Local LAN: 192.168.100.0/24
Local Subnet Phase 2: a.b.c.132/30
Remote Subnet Phase 2: x.y.z.0/24

Tunnel is up and working

BINAT 1:1 Rule on IPSEC Interface
External: x.y.z.134/32
Source: 192.168.100.11/32
Destination: x.y.z.37/32

Manual SPD Entry: 192.168.100.11/32
FW Rules -> IPsec Ipv4 any any allow all (for testing)

However, its not working. The remote end x.y.z.37/32 is not reachable.

Can anyone help pls?

Thanks and regards,
Michael
December 03, 2018, 11:39:45 AM #1
Your network design is a bit odd. Can you setup the P2 networks to some private networks so your routing doesn't get confused with peering IPs?

Like:

Real LAN1: 192.168.100.0/24
Fake LAN1: 192.168.1.0/24

Real LAN2: 192.168.100.0/24
Fake LAN2: 192.168.11.0/24

So you build a VPN from 192.168.1.0 with 192.168.11.0 .. the clients from LAN1 need to ping addresses from .11.0 to reach .1.0 from LAN2 and vice versa. Then you set up BINAT like from the official docs ...
December 03, 2018, 11:57:22 AM #2
unfortunately the customers security settings only allow the given (official IPs) as P2 local and remote network and they are not willing to change their IPSEC settings...
December 10, 2018, 06:03:28 PM #3
Update:

We are also affected by https://github.com/opnsense/core/issues/1773

Workaround:
Code Select
setkey -f with this file: spdadd <src_net> <dst_net> any -P out ipsec esp/tunnel/<local_wan_ip>-<remote_wan_ip>/unique:<id>;

regards,
Michael
January 23, 2019, 11:41:06 AM #4
Hi,

Was there a change with OpnSense 18.7.10?

Nat before IPSEC isn't working anymore, but setkey -DP show correct entries:

Code Select
x.x.x.x[any] z.z.z.z[any] any
        in ipsec
        esp/tunnel/x.x.x.x-z.z.z.z/unique:1
        created: Jan 23 11:29:28 2019  lastused: Jan 23 11:29:28 2019
        lifetime: 9223372036854775807(s) validtime: 0(s)
        spid=36 seq=1 pid=84235 scope=global
        refcnt=1
z.z.z.z[any] x.x.x.x[any] any
        out ipsec
        esp/tunnel/z.z.z.z-x.x.x.x/unique:1
        created: Jan 23 11:29:28 2019  lastused: Jan 23 11:29:28 2019
        lifetime: 9223372036854775807(s) validtime: 0(s)
        spid=37 seq=0 pid=84235 scope=global
        refcnt=1


regards,
Michael
Print
Go Up Pages1
User actions