NAT before IPSEC - Bug??

[olest]

Hi,

I have tried to setup NAT before IPSEC.

Followed this how to doc:
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html

Is it not working with 19.1?

I havn't tried with 18.7.

(tested with a pfSense instead of my opnsense box and then it is working)

[mimugmail]

I have two machines with 19.1.4 where it's running fine, must be a configuration issue.
More detail about setup and error please

[olest]

LAN network: 192.168.17.0/24
OPNsense 19.1.7 - could it be kernel changes since 19.1.4?

IPSEC Phase 2 (tunnel up):
local network 10.222.15.0/24
remote network: 192.168.11.0/24
Manual SPD: 192.168.17.0/24

NAT 1:1:
Interface IPSEC
Type: BINAT
External network: 10.222.15.0/24
Source: 192.168.17.0/24
Destination: 192.168.11.0/24

Firewall:
Default LAN allow all rule.

I cannot ping 192.168.11.244 from 192.168.17.101 using the OPNsense firewall.

--
With pfSense I use:
Phase 2:
local network: 192.168.17.0/24
BINAT translation: 10.222.15.0/24
remote network: 192.168.11.0/24

[mimugmail]

tcpdump on enc0 please

[olest]

I get nothing when I use "tdpdump -i enc0" and ping 192.168.11.244.

(tested with other tunnels with no NAT and the I see the trafic with tcpdump)

[olest]

tcpdump at LAN interface igb1 I get:
20:57:51.045693 IP 192.168.17.101 > 192.168.11.244: ICMP echo request, id 1, seq 36150, length 40

[franco]

Consider me amazed if this is not VTI and pfSense works but you're using ping without -S parameter which would indicate the opposite.

IPsec (non-VTI) needs -S for the source address and IPsec said source address to accept traffic into the tunnel. Always.

# ping 192.168.77.1
PING 192.168.77.1 (192.168.77.1): 56 data bytes
^C
--- 192.168.77.1 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
# ping -S 10.0.0.1 192.168.77.1
PING 192.168.77.1 (192.168.77.1) from 10.0.0.1: 56 data bytes
64 bytes from 192.168.77.1: icmp_seq=1 ttl=255 time=56.350 ms
64 bytes from 192.168.77.1: icmp_seq=2 ttl=255 time=48.087 ms

IPsec from 10.0.0.1 -> 192.16.77.1


Cheers,
Franco

[olest]

Not sure what you mean or what you what me to test.

Consider me amazed if this is not VTI and pfSense works but you're using ping without -S parameter which would indicate the opposite.

IPsec (non-VTI) needs -S for the source address and IPsec said source address to accept traffic into the tunnel. Always.

# ping 192.168.77.1
PING 192.168.77.1 (192.168.77.1): 56 data bytes
^C
--- 192.168.77.1 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
# ping -S 10.0.0.1 192.168.77.1
PING 192.168.77.1 (192.168.77.1) from 10.0.0.1: 56 data bytes
64 bytes from 192.168.77.1: icmp_seq=1 ttl=255 time=56.350 ms
64 bytes from 192.168.77.1: icmp_seq=2 ttl=255 time=48.087 ms

IPsec from 10.0.0.1 -> 192.16.77.1


Cheers,
Franco

[olest]

Only SPDs with 192.168.11.0/24 I see is:
192.168.11.0/24  10.222.15.0/24
10.222.15.0/24    192.168.11.0/24

Should there not be any entry for the manual SPD?

[mimugmail]

Can you try source in binat the LAN IP of the Firewall? Do you use FQDN for Peer address?

[olest]

Remote gateway is an IP address.
Identifiers is "Distinguished name"

[mimugmail]

Can you check last comment if you are also affected?

https://github.com/opnsense/core/issues/1773

[olest]

Not the same setup (I don't have any of the routers behind NAT) but same problem.

If I change Phase 1 Identifiers to use IP address instead of Distinguished name the NAT before IPSEC is working.

Why does it not work if I use other than IP address as my identifier/peer identifier?