[SOLVED] 1:1 NAT with an IPsec tunnel (in a multi-WAN setup)

[CDuv]

Hello,

I fail to configure 1:1 NAT for trafic going via an IPsec tunnel (tunnel between my LAN and the network of a third party)

Here is the context :

My LAN network IP address is : 10.33.0.0/16
Third party IP address of the server I need to access via IPsec tunnel : 172.31.254.254/32
Network arriving in the tunnel (for 1:1 NAT) : 10.88.0.0/16

I am using OPNsense version 20.1.1.

Here is the IPsec configuration (algorithms part taken out) :

   
• Phase 1 :
        
  
           
  • Key Exchange version : V1
  • Interface : WAN
  • Remote gateway : 5.5.5.5 (Third party server IP)
  • Authentication method : Mutual PSK
  • My identifier : 3.3.3.3 (my public IP)
  • Peer identifier : 5.5.5.5
  • Install policy : (Checked)
  • Tunnel Isolation : (Unchecked)
  • NAT Traversal : Enable
     
• Phase 2 :
        
  
           
  • Mode : Tunnel IPv4
  • Local Network :
                
    
                   
    • Type : Network
    • Address : 10.88.0.0/16
             
  • Remote Network :
                
    
                   
    • Type : Address
    • Address : 172.31.254.254/32
             
  • Manual SPD entries : (Empty)
     

And here is the the 1:1 NAT configuration :

   
• Interface : IPsec
• Type : BINAT
• External network : 10.88.0.0/16
• Source / invert : (Unchecked)
• Source :
        
  
           
  • Type : Single host or Network
  • Address : 10.33.0.0/16
     
• Destination / invert : (Unchecked)
• Destination : any
• NAT reflection : Use system default

I do have an "IPsec" entry in the "Firewall: Rules" part of the GUI but nowhere else (not in "Interfaces" nor when trying to add a gateway or a route).

IPsec tunnel seems UP (according to the OPNsense dashboard) but I can't ping 172.31.254.254 or something in 10.88.0.0 from LAN.
And I don't see how it could work because netstat -rn shows no entry for 172.31.254.254 nor 10.88.0.0.

Do I need to add my LAN address (10.33.0.0/16) to Phase 2's "Manual SPD entries" ?
Where/How could I see thoses "SPD entries" ?

Thank you.

[CDuv]

Forgot to say I followed "Setup IPsec site to site tunnel" guide (https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html), added an "allow any to any" firewall rule on IPsec interface and allowed ESP, ISAKMP, IPsec NAT-T protocols on WAN interface.

[mimugmail]

Can you search the Docs for Binat IPsec. Its documented there :)

[CDuv]

Thank for the pointer: In the mean time I tried to add my LAN as manual SPD entry but I saw no change of behavior.

Does BINAT setup requires to add specific firewall rule related to the natted network 10.88.0.0/16? The BINAT guide does not say anything about it but the IPsec site-to-site tunnel guide asks to create a "action=pass from=*:* to=LAN_net:*" rule on IPsec interface (which I did).
So I wonder if I need to create another rule (eg. to allow traffic from LAN to 10.88.0.0/16).

[CDuv]

Using a tcpdump -n -i enc0 I can see my ping -s 10.33.0.1 172.31.254.254 (executed from OPNsense, whose LAN's address is "10.33.0.1") but I get no ping response and tcpdump ouput show no translation:

13:12:13.844882 (authentic,confidential): SPI 0xd0fb1d32: IP 10.33.0.1 > 172.31.254.254: ICMP echo request, id 31860, seq 0, length 64

(One of) The other thread I've found (« Updated IPSec with BiNAT walk-through needed? ») seems to leave Manual SPD field blank and use a "type=BINAT dest=any" NAT 1:1 rule which did not matched documentation, but it was 2 years ago.

Is there a way to show/debug SPD entries?

[CDuv]

Also, if my LAN clients ping or traceroute the IP 172.31.254.254 it goes out to WAN not via IPsec tunnel (tcpdump -n -i enc0).
I don't understand why a ping to the same IP would follow different path if executed from OPNsense with LAN interface as source or executed from a computer on LAN (having the OPNsense as default gateway).

I naively tried to add a "Firewall: NAT: Outbound" rule on IPsec interface to replace traffic from 10.33.0.0/16 (LAN) to 172.31.254.254 (third party server) by 10.88.0.0/16 (natted network) with no luck.

[CDuv]

Just a thought: could my multi-wan setup (primary with failover) be responsible for the LAN clients' traffic not going through the tunnel?

[CDuv]

Adding a firewall rule on LAN interface configured as follow did the trick: from=LAN_net to=172.31.254.254/32 gateway=default
(and placed before my firewall rule that sets gateway to the "primary/failover" gateway group for all traffic)

A tcpdump -n -i enc0 still don't show translation for outgoing traffic (id. 10.33.0.1) but answer arrives for translated address (id. 10.88.0.1):

12:39:44.593119 (authentic,confidential): SPI 0xbde8b870: IP 10.33.0.1 > 172.31.254.254: ICMP echo request, id 60353, seq 18, length 64
12:39:44.593503 (authentic,confidential): SPI 0xbde8b870: IP 172.31.254.254 > 10.88.0.1: ICMP echo reply, id 60353, seq 18, length 64

In the web GUI, at "Firewall: Log Files: Live View", I do have translation for outgoing traffic (id. 10.88.0.1):

Code Select Expand

IPsec Feb 25 12:39:44 10.88.0.1 172.31.254.254 icmp IPsec internal host to host
lan Feb 25 12:39:44 10.88.0.1 172.31.254.254 icmp Allow access to third-party server behind IPsec tunnel

So, to summarize, I needed (on my side):

• A firewall rule on all WAN interfaces to allow ESP ISAKMP and IPsec NAT-T (see guide)
• IPsec tunnel with "Apply Policy" on Phase 1 and Phase 2 where local network="10.88.0.0/16", remote network="172.31.254.254/32" and Manual SPD entry=10.33.0.0/16
• A NAT "One-to-One" rule where type=BINAT, external network="10.88.0.0/16", source network="10.33.0.0/16" and destination network="172.31.254.254/32"
• A firewall rule on LAN interface where source="LAN_net:*", direction="in", destination="172.31.254.254/32:*", gateway="default"
• A firewall rule on IPsec interface where source="172.31.254.254/32:*", direction="in", destination="LAN_net:*", gateway="default"

Guides :

• Setup IPsec site to site tunnel
• IPSec BINAT