Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
Full NAT and IPSec
« previous
next »
Print
Pages: [
1
]
Author
Topic: Full NAT and IPSec (Read 985 times)
biricon
Newbie
Posts: 20
Karma: 0
Full NAT and IPSec
«
on:
January 18, 2024, 04:26:48 pm »
Hello,
i test right now the following situation and dont find a solution on OpnSens:
Server 10.0.0.2 <--> [OPS_LAN 10.0.0.1] <---> [OS_VLAN_INTERFACE_Transfer_IP 10.1.1.1/32] <--> IPSEC <--> [192.0.0.1/24]
IPSec has the LANs 192.168.0.1 and 10.1.1.1/32
Now i like to make a port forwarding or 1:1 NAT for bring the Port 80 from Server 10.0.0.2 thru the Tunnel.
- IPSec works
- Routing and Ping to 10.1.1.1 works from 192.0.0.1
Traceroute from 10.0.0.2 will everytime go thru internet and not to the tunnel.
i test outbound NAT and Portforwarding
1:1 NAT
But no success.
Did anyone have a idea how i can do this?
Logged
bimbar
Sr. Member
Posts: 435
Karma: 25
Re: Full NAT and IPSec
«
Reply #1 on:
January 18, 2024, 05:08:05 pm »
I think you need to add this in ipsec advanced settings -> manual spd entries .
Logged
biricon
Newbie
Posts: 20
Karma: 0
Re: Full NAT and IPSec
«
Reply #2 on:
January 18, 2024, 05:22:06 pm »
you mean the passthrough networks?
but if i put in the internal 10.0.0.1/24 this does not make any diffrent. the traffic to the 192.0.0.1 will go out via normaly internet route and the masqurading does not work.
Logged
biricon
Newbie
Posts: 20
Karma: 0
Re: Full NAT and IPSec - strange Problem.
«
Reply #3 on:
January 18, 2024, 09:27:11 pm »
Now it works with the spd entry on the legacy IPsec and the new one.
But i have one strange problem. After the Tunnel starts it works - after 10-15min i can not reach from insert the other side of the tunnel. After a restart of the Tunnel from the other side, it works again for 10-15min.
On the other side i have Sophos SG/XGS, Edgerouter, Unifi Gateways and Fortinet. On every Tunnel its the same.
- But my transfer IP is pingable from the other Tunnel side
- From insert the LAN the traffic does not come to the tunnel - the traceroute ends on the opnsense.
On diffrent LANs from the same tunnel, the time is not the same, when this situation starts.
«
Last Edit: January 18, 2024, 09:29:47 pm by opncon
»
Logged
shadesh
Newbie
Posts: 41
Karma: 2
What?
Re: Full NAT and IPSec
«
Reply #4 on:
January 19, 2024, 11:24:04 am »
First of all. 192.0.0.0/24 is not a RFC1918 (e.g. its a public ip range), so somewhere its "correct" routed to public internet. Before you can test the NAT you need to solve the routing issue. Is the Opnsense the only default gateway used on the 10.0.0.2 side? Do you see a routing table entry on the opnsense for both networks going into the tunnel? Are there two SA created for it under the ipsec section?
Logged
biricon
Newbie
Posts: 20
Karma: 0
Re: Full NAT and IPSec
«
Reply #5 on:
January 19, 2024, 01:47:49 pm »
We find out, that the legacy and the new IPSec interface uses the same reqest IDs and so we have a conflict. In this case the request IDs will be falling out of the routing, if a secound tunnel come up with the same ID.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
Full NAT and IPSec