Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
[Resolved] Unable to perform the Nat through IPSec
« previous
next »
Print
Pages: [
1
]
Author
Topic: [Resolved] Unable to perform the Nat through IPSec (Read 379 times)
athisesanr
Newbie
Posts: 27
Karma: 0
[Resolved] Unable to perform the Nat through IPSec
«
on:
June 11, 2024, 02:04:43 pm »
Hi Folks,
I have a question regarding IPsec with DANT and SNAT as below steps that I'm trying in OpnSense FW,
Let have steps are configured and checking the connections.,
- IPsec between Site A (OpnSense) to Site B (FortiGate) (policy-base tunnel Up)
- Site A has a local network of 100.100.100.0/27
- Site B has a local network of 100.200.100.0/27
- Site A has a some vlan connectivity with their internal VLAN network (such 10.10.10.15)
- Site B want to connect 10.10.10.15 through the NAT ip of 100.100.100.10 - this ip chosen from Site B Local subnet free ip.
- ensured that Site A local subnet 100.100.100.0/27 have connectivity to 10.10.10.15
- Able to reach from Site B to Site A local subnet OpnSense configured ip such as interface ip and carp ip.
- Unable to reach from Site B to Site A IP of 100.100.100.10 which is nat to 10.10.10.15
- having port forward NAT (DNAT) on IPsec interface like below,
(src-100.200.100.10 , dst-10.10.10.15 , translated-100.100.100.10)
- having outbound NAT (SNAT) on internal vlan interface like below,
(src- 100.200.100.10,dst-100.100.100.10, tanslated-10.10.10.15)
so, checking the traffic, I can able to get the reply from vlan network but i couldn't ping from site B to opn internal vlan network via nat.
16:27:31.135755 IP 100.100.100.10 > 10.10.10.15: ICMP echo request, id 14098, seq 1628, length 64
16:27:31.136089 IP 10.10.10.15 > 100.100.100.10: ICMP echo reply, id 14098, seq 1628, length 64
Hence, I think, I miss somewhere in NAT, can anyone guide to me here.,
pls note all the interface rules are any-any.,
Thanks,
«
Last Edit: June 12, 2024, 07:41:21 am by athisesanr
»
Logged
athisesanr
Newbie
Posts: 27
Karma: 0
[Resolved] Unable to perform the Nat through IPSec
«
Reply #1 on:
June 12, 2024, 07:40:09 am »
Hi All,
this issue got resolved post adding manual SPD of source ip reply from site B in ipsec.
lets I added like, 10.10.10.15/32 in manual SPD
Thanks all.,
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
[Resolved] Unable to perform the Nat through IPSec