Outbound NAT to IPSec

Started by Jürgen Garbe, February 19, 2020, 10:43:54 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
February 19, 2020, 10:43:54 AM Last Edit: February 19, 2020, 10:45:39 AM by Jürgen Garbe
Hi there,

I have to do outbound NAT for an IPSec connection (not 1:1 NAT and not 1:n, but m:n ...).
In the outbound NAT rules (using hybrid), the ipsec interface can be chosen, but the traffic is not translated and leaves the standard gateway (untranslated).
Any ideas?

Actually I do simply work around this by using a seperate opnsense instance which is doing the needed NATing.

Regards
Jürgen
February 19, 2020, 10:46:56 AM #1
Did you add the spd to Phase2?
February 19, 2020, 11:00:06 AM #2
Hm, I think so:
The source net is 10.6.0.0/8 which should be NATed to 172.18.132.48/29 (random, sticky).
The destination net is 10.16.100.0/24.
In the Phase2 definitions the local net is 172.18.132.48/29 and the remote net is 10.16.100.0/24.
Again: actually I work around this behaviour using a seperate opnsense instance which only does the NAT and it works.
Or do you eventually mean I have to use the original source net (10.6.0.0/8) instead as local Phase2 net?
February 19, 2020, 04:03:35 PM #3
You have to insert the original net as SPD in Phase2, thats all (including Nat)
February 19, 2020, 04:22:08 PM #4
Not sure what you mean.
Do you mean to add the original network as manual SPD entry?

If not:
I can't change the requirement that the customer is forcing us to use a "transport net" 172.18.132.48/29 on our side as endpoint of the IPSec tunnel.
So I can't simply change the given Phase2 local net entry to our local network 10.6.0.0/8.
That's why I need the outbound NAT.

February 19, 2020, 08:54:54 PM #5
Can you post a screenshot of Phase2 please?
February 20, 2020, 07:07:20 AM #6
Yes (please ignore unsafe settings like AES 128):
February 20, 2020, 07:19:39 AM #7
You need to add the real source network in "Manual SPD entry"
February 20, 2020, 07:44:57 AM #8
I added the original (before outbound NAT) network 10.6.0.0/8 to the manual SPD entry.
Please check my outbound NAT settings too.

Results:

1. Outbound NAT into the IPSec tunnel is working now. Thank you very much (any explanation or link to this method? Is it simply a kind of hack or work around?). :)

2. Start on traffic does not work in this configuration. :(
I have to change to "start immediate" instead of simply pinging it to get the tunnel opened... Any hint to this behaviour?
February 20, 2020, 07:56:04 AM #9
Search for IPsec Binat, it's clearly documented regarding the SPD.

No idea regarding the start immediate .. sorry
February 20, 2020, 08:17:15 AM #10
Ok, I did not recognize this chapter as relevant, because of  my outbound (and not binat) situation.
Now it sounds trivial: additional networks to be forwarded into the tunnel have to be defined here.

Meanwhile I found a good hint on a german site describing this very well:
https://techcorner.max-it.de/wiki/OPNsense_-_NAT_before_IPSEC

In fact I was irritaded, because my thinking was that first the outbound NAT is happening and because of defining the destination net of the outbound NAT as local net in my Phase2 definition everything should work fine...

Learning never ends  ;)

Topic solved!
February 20, 2020, 08:34:47 AM #11
I wrote this article, it's my employer ;)
February 20, 2020, 03:03:11 PM #12
I have to come back to this topic :(

The customer not only wants that we connect to one remote net (10.16.100.0/24) through the transport NET but also one web server on address 10.220.252.1.
I think the right way to achieve this is to set up another Phase2 which addresses this host.

But:
Now the "trick" adding manual SPDs isn't working any longer (of course...).
Even packets for the remote net are forwarded through the isolated tunnel of the last Phase2 definition.

Again: help would be fine ;)
February 20, 2020, 04:24:20 PM #13
Screenshot of IPsec overview please
February 21, 2020, 10:23:19 AM #14 Last Edit: February 21, 2020, 01:15:43 PM by Jürgen Garbe
First of all, please not to be confused, that you see here slightly modified addresses, I use in a private virtual test environment (172.18.133/29 instead of 172,18.132 of the real world, 10.17.100.80 instead of 10.16.100.80).

In the screenshot, you can see the corresponding IPSec status overview, which is showing, that ping packets to 10.17.100.80 are forwarded to the tunnel defined for 10.230.252.1.

The target IPSec endpoint answers on the correct tunnel.

If I change the order of the Phase2 definitions, everything is ok pinging 10.17.100.80 but the ping packets to 10.230.252.1 are forwarded to the wrong tunnel.

So each packet coming from our source net 10.6.0.0/8 which is outbound NATed and added as manual SPD entry in both Phase2 definitions is always and only using the (isolated) tunnel of the last Phase2 definition :(

Edit 1:
In my work-around setup (doing the outbound NAT on an own opnsense instance -> no need for manual SPD entries) everything is working as expected.

Edit 2:
Also the fact, that automatically (re-)starting the tunnel on incoming traffic is not working in the "integratated outbound NAT" scenario discussed here is a real big game stopper, I think.
Other thougts are very welcome!
Print
Go Up Pages1 2
User actions