Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
DNAT to IPsec policy-based VPN not working
« previous
next »
Print
Pages: [
1
]
Author
Topic: DNAT to IPsec policy-based VPN not working (Read 693 times)
zemanek
Newbie
Posts: 18
Karma: 0
DNAT to IPsec policy-based VPN not working
«
on:
January 29, 2024, 12:52:07 pm »
Hello,
I have OPNsense 23.7 with only 1 (WAN) interface and an IPsec VPN established. The VPN itself is working, I can communicate from my internal network over the IPsec tunnel.
The problem is with port forwarding. In addition to the other communication I set up DNAT rule on WAN interface forwarding anything coming to WAN interface port 1439 to IP 172.26.1.53 on the far end of the IPsec VPN.
I also have outbound NAT on WAN interface set to translate anything going to 172.26.1.0/24 to have source IP of the WAN interface.
Firewall ingress rule allows subnet in the internal network to access port 1439 on WAN interface.
In packet capture I can see the packet coming to WAN interface, then being forwarded/translated to 172.26.1.53 but then vanishes. It is not sent through the IPsec VPN. No blocked packet seen in live firewall log.
Any ideas?
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1601
Karma: 176
Re: DNAT to IPsec policy-based VPN not working
«
Reply #1 on:
January 29, 2024, 01:14:21 pm »
That sounds like the IPsec Policy doesn't allow the packet to enter tunnel.
Can you share more details about your configuration, for example the local and remote network of the Children (Phase2) and if you have put manual SPD Entries?
Also as a side node, the IPsec+NAT can be a bit troublesome in FreeBSD, if you want to avoid all of these problems you might want to look into wireguard. Because it's a routed VPN by default you can NAT however your heart desires.
«
Last Edit: January 29, 2024, 01:15:55 pm by Monviech
»
Logged
Hardware:
DEC740
zemanek
Newbie
Posts: 18
Karma: 0
Re: DNAT to IPsec policy-based VPN not working
«
Reply #2 on:
January 29, 2024, 01:28:04 pm »
Damn, just between the previous testing of the other communication and the DNAT the IPsec Phase 2 went down. Sorry.
It's working now.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
DNAT to IPsec policy-based VPN not working