IPsec (23.1) behind CGNAT

[Felix.]

Hi,

i recently moved and my DSL is not ready yet.
I have an unlimited telekom business SIM and using an Teltonika TRB500 gateway in bridge mode.
I get a CGNAT IP at my WAN interface in OPNsense.

Before I used an VTI Tunnel and it worked great, but I had fiber and an (not offcially but never changed) static IP on my client side.
Now I need to use the cellular connection behind CGNAT as client.
I read this will work when the server only listens to connections and my client side initiates the tunnel.

What happens is, the server receives packets, and tries to send one back.
The one that is sent back never reaches the client and so the tunnel times out.

I really don't know what could be messing up right now, the client never sees any incoming traffic whatsoever from the server.

I'll post my configs tomorrow when I'm at a real computer... mobile right now.
Maybe someone can find culprit with me, many thanks!

[tiermutter]

Behind CGNAT you will not be able to access anything via v4.
You will need IPv6, but in your case, you will still not be able to access anything, as tmobile restricts IPv6 access as long as you not booked the option "feste IPv6 Adresse" which will give you access over IPv6.
The only thing you can do without any extra options: simply use APN with public v4

Code: [Select]

internet.t-d1.de
t-mobile
tm

[tiermutter]

  sorry, misread your post, I thought you have trouble accessing server side behind CGNAT...

[Felix.]

Using the APN you posted, I got a public IP and now I see incoming UDP packets, amazing.
The Tunnel still doesn't initiate but I that is probably something else, never tried the new 23.1 setup before.