Archive > 20.1 Legacy Series

Port Forwarding through IPSEC Tunnel

(1/1)

blueart:
Hello Team,
first of all thanks for your great work.
Currently im running into an issue with Port Forwarding to a destination behind a VPN Tunnel.

We have a Firewall in our DataCenter Colocation which has an IPSec Tunnel with a VTI back to our Office Firewall.
Behind the Office Firewall is a Server which needs to be published to the Internet.

On the Office Firewall there is a Policy Based routing rule to forward all traffic from that Server via the Tunnel to the Datacenter.

If I'm opening a webpage or use speedtest.net I can see the correct public IP Address assigned from the NAT Pool on the Colocation Firewall.


Now if we open a port form the Colocation Firewall via Port Forward to the office Server, I can see the requests via Wireshark hitting the Colo Firewall, hitting the VPN Tunnel and the Office Firewall. So running a Packet Capture on the VTI Interface of the Office Firewall I can see the traffic hitting the Firewall with that tunnel, but the traffic is never leaving the tunnel and gets to the server.

IPSEC Firewall rules on the VTI Interface:


IPSEC Firewall rules on the IPSec Interface:






If I replace the IPSec setup with a OpenVPN tunnel it works, but the performance is bad.

Colo Firewall:
PFsense 2.4.5

Office Firewall:
OpenSense 20.1.7

Thanks for reading and looking into it.

Best regards
Martin

blueart:
We did another test today with Opnsense 20.7. as well as on openVPN and IPSec, there is no way we can make this work.

Sadly this works perfectly with PFsense.
Are there any plans to get this functionality in OpnSense as well?

Best regards

fraenki:

https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html

Have both of you considered this documentation?
AFAICT your attempts fail because you hit a known limitation related to "NAT before IPsec". The documentation contains workarounds and hints related to unsupported scenarios.


Regards
- Frank

Fixeon:
Hello,

i have the same problem. Any solution for this issue?

Regards
Jannik

Navigation

[0] Message Index

Go to full version