Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
NAT before IPSEC tunnel, not working?
« previous
next »
Print
Pages: [
1
]
Author
Topic: NAT before IPSEC tunnel, not working? (Read 3816 times)
jesperfr
Newbie
Posts: 11
Karma: 0
NAT before IPSEC tunnel, not working?
«
on:
August 15, 2019, 07:44:32 am »
Is this still a problem ?
I need to NAT an address before sending it through an IPSEC tunnel, but I can't get it to work. According to packet capture it seems that NAT is done, but it's not being tunneled afterwards.
Rgds,
Jesper
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: NAT before IPSEC tunnel, not working?
«
Reply #1 on:
August 15, 2019, 11:12:18 am »
Most of it should be fixed in 19.7.2
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
jesperfr
Newbie
Posts: 11
Karma: 0
Re: NAT before IPSEC tunnel, not working?
«
Reply #2 on:
August 16, 2019, 10:16:32 am »
I litle more explanation
It's an existing tunnel, My end 10.222.0.0/16 remote end 10.1.204.0/24
I have a server in my end coming from 10.220.2.72 which I translate to 10.222.8.4. If I ping from the local server and do a packet capture on WAN interface , then I can see the translated addr. towards the server I try to reach (10.1.204.108).
firewall interfaces:
VLAN 10 (10.220.0.9/22
VLAN 32 (10.222.8.4/22)
WAN
My local server is comming via VLAN 10 and is being translated to interface addr. on VLAN 32.
Logged
jesperfr
Newbie
Posts: 11
Karma: 0
Re: NAT before IPSEC tunnel, not working?
«
Reply #3 on:
August 16, 2019, 10:19:31 am »
please find attached a packet capture . Ping done from a server 10.220.2.13 and it's being translated to 10.222.8.4, but the packet towards 10.1.204.108 is not being tunneled.
I have tried to do 2 configs. Both configs are outbound nat
WAN as outgoing interface (packet capture WAN)
IPSEC as outgoing interface (packet capture IPSEC)
PACKET CAPTURE WAN:
VLAN10
em0 09:29:01.766196 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32194, offset 0, flags [none], proto ICMP (1), length 60)
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43537, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43538, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43539, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43540, length 40
VLAN10
em0 09:29:06.475942 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32195, offset 0, flags [none], proto ICMP (1), length 60)
VLAN10
em0 09:29:11.465461 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32196, offset 0, flags [none], proto ICMP (1), length 60)
VLAN10
em0 09:29:16.475901 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32197, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1 09:29:01.766572 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32194, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1
10.222.8.4 > 10.1.204.108: ICMP echo request, id 8203, seq 43537, length 40
10.222.8.4 > 10.1.204.108: ICMP echo request, id 8203, seq 43538, length 40
10.222.8.4 > 10.1.204.108: ICMP echo request, id 8203, seq 43539, length 40
10.222.8.4 > 10.1.204.108: ICMP echo request, id 8203, seq 43540, length 40
WAN
em1 09:29:06.476327 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32195, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1 09:29:11.465774 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32196, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1 09:29:16.476087 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32197, offset 0, flags [none], proto ICMP (1), length 60)
PACKET CAPTURE IPSEC:
VLAN10
em0 09:36:51.695292 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32198, offset 0, flags [none], proto ICMP (1), length 60)
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43547, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43548, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43549, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43550, length 40
VLAN10
em0 09:36:56.466359 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32199, offset 0, flags [none], proto ICMP (1), length 60)
VLAN10
em0 09:37:01.483428 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32200, offset 0, flags [none], proto ICMP (1), length 60)
VLAN10
em0 09:37:06.466768 00:26:0a:27:d6:00 > 00:50:56:a8🇩🇪54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32201, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1 09:36:51.695470 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32198, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43547, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43548, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43549, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 43550, length 40
WAN
em1 09:36:56.466440 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32199, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1 09:37:01.483573 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32200, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1 09:37:06.466915 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32201, offset 0, flags [none], proto ICMP (1), length 60)
in below image, test is 10.220.2.13 - Salling group is 10.1.204.108 - VLAN32_NAT_INTERFACE is 10.222.8.4
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: NAT before IPSEC tunnel, not working?
«
Reply #4 on:
August 16, 2019, 03:17:37 pm »
Screenshots Phase2 SA please
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
jesperfr
Newbie
Posts: 11
Karma: 0
Re: NAT before IPSEC tunnel, not working?
«
Reply #5 on:
August 19, 2019, 07:57:28 am »
A ping from firewall VLAN32 interface (10.222.8.4) work, but when I use same interface address or any other address in 10.222.0.0/16 for translation, then I can't ping
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: NAT before IPSEC tunnel, not working?
«
Reply #6 on:
August 19, 2019, 09:08:56 am »
Errr .. did you follow the binat guide from official docs? Cant see any Screenshot of binat rules. It wont work like this
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
jesperfr
Newbie
Posts: 11
Karma: 0
Re: NAT before IPSEC tunnel, not working?
«
Reply #7 on:
August 19, 2019, 09:21:25 am »
I have tried both 1:1 NAT and outbound NAT, but neither work.
Packet capture with BI NAT rule:
VLAN10
em0 09:49:14.273478 00:26:0a:27:d6:00 > 00:50:56:a8:de:54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32211, offset 0, flags [none], proto ICMP (1), length 60)
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46613, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46614, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46615, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46616, length 40
VLAN10
em0 09:49:19.207255 00:26:0a:27:d6:00 > 00:50:56:a8:de:54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32212, offset 0, flags [none], proto ICMP (1), length 60)
VLAN10
em0 09:49:24.206931 00:26:0a:27:d6:00 > 00:50:56:a8:de:54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32213, offset 0, flags [none], proto ICMP (1), length 60)
VLAN10
em0 09:49:29.206841 00:26:0a:27:d6:00 > 00:50:56:a8:de:54, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 32214, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1 09:49:14.273756 00:50:56:a8:47:5c > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 10.1.204.108 tell 91.221.51.240, length 28
WAN
em1 09:49:14.274354 00:26:0a:27:d6:00 > 00:50:56:a8:47:5c, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Reply 10.1.204.108 is-at 00:26:0a:27:d6:00, length 46
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46613, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46614, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46615, length 40
10.220.2.13 > 10.1.204.108: ICMP echo request, id 1, seq 46616, length 40
WAN
em1 09:49:14.274394 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32211, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1 09:49:19.207418 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32212, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1 09:49:24.207103 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32213, offset 0, flags [none], proto ICMP (1), length 60)
WAN
em1 09:49:29.206921 00:50:56:a8:47:5c > 00:26:0a:27:d6:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 126, id 32214, offset 0, flags [none], proto ICMP (1), length 60)
«
Last Edit: August 19, 2019, 09:51:29 am by jesperfr
»
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: NAT before IPSEC tunnel, not working?
«
Reply #8 on:
August 19, 2019, 12:39:10 pm »
And you added the internal source IP to SPD in IPsec Phase2?
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
jesperfr
Newbie
Posts: 11
Karma: 0
Re: NAT before IPSEC tunnel, not working?
«
Reply #9 on:
August 19, 2019, 12:55:20 pm »
No, nothing have have been added to SPD in phase2. As I previously mentioned, I don't have access to remote end, and remote end is not an Opnsense firewall.
What IP do I need to add? and should this be done in both end of the tunnel ?
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: NAT before IPSEC tunnel, not working?
«
Reply #10 on:
August 19, 2019, 01:17:14 pm »
Again, did you read the binat guide? You have to add SPD in Phase 2 like described in the howto. It's the source IP/net you used as in 1to1 nat
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
jesperfr
Newbie
Posts: 11
Karma: 0
Re: NAT before IPSEC tunnel, not working?
«
Reply #11 on:
August 19, 2019, 02:51:45 pm »
Yes, I did read the how to BINAT, but I thought I had to add the network/host in both end of the tunnel and that was not an option.
I got it to work now. Thanks very much for all your help, it's highly appreciated
)
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: NAT before IPSEC tunnel, not working?
«
Reply #12 on:
August 19, 2019, 05:48:27 pm »
Glad you did it
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
NAT before IPSEC tunnel, not working?