Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
IPSec with BiNat, routing not engaging?
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPSec with BiNat, routing not engaging? (Read 1201 times)
nellson
Newbie
Posts: 6
Karma: 0
IPSec with BiNat, routing not engaging?
«
on:
August 30, 2021, 01:53:24 am »
Using the docs I was able to get an IPSec/IKEv2 tunnel up in 15 mins with my company Cisco Router, and was very jazzed that I could replace my Palo Alto firewall VPN. My Company uses the entire 10. net mostly, including the lil 10.0.0.0/24 I use at home. No problem, that's what the IPSec BiNat was for, yes? So...
my IPSec tunnel uses 10.0.10.0/25 as the inside space that I will be NAT'ing myself to. And the 10.0.0.0/8 for the remote network. Cisco IPSec sees that and reverse route injects a static 10.0.10.0/25 in for my tunnel. Cool.
On the Opnsense side, I have my IPSec tunnel originating from my WAN interface (static IP from ISP) and my NAT set up with a single test 1-to1 from 10.0.0.7 (my pc) to 10.0.10.7 (the IP I will appear as over the tunnel, same as I did with my Palo)
My IPSec FW rules are an ANY ANY right now, both inbound and out.
So I test a ping from my station to a station at work, and it appears to be going straight out the internet, and not the tunnel.. My ISP gateway is sending the ICMP rejection.
So I am stuck on what I might need to do for routing/NAT. and
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html
wasn't giving me quite enough.
UPDATE: Traffic FROM my work to the NAT address 10.0.10.7 is correctly getting through the tunnel, and being NAT's to my 10.0.0.7 workstation, I see INBOUND traffic in all the IPSec logs and Wireshark on my workstation shows the ping hitting me. (carbon black denies it, but hey, it got here!) If I ping to that same workstation, no outbound traffic seen in the tunnel.
So I followed the IPSec tunnel docs, and added the BiNat doces. I think my issue is in the IPSec Tunnel docs, in that my VPN Status shows my tunnel as "INSTALLED" and "ROUTED" but the docs say it should just show "INSTALLED" and in the route table there is no entry to suggest my traffic would get captured by my IPSec tunnel.
My NAT is on the IPSec interface.. perhaps that is why it's not being NAT'ed before the tunnel network list sees it?
«
Last Edit: August 31, 2021, 01:04:08 am by nellson
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
IPSec with BiNat, routing not engaging?