VPN IPSEC site to site with virutal networks

[Tech34]

Hello Forum,

I hope you're doing well.

I need some information about configuring an IPsec VPN on an OPNsense firewall.

I created an IPsec tunnel with a Stormshield firewall using virtual networks, but I'm unable to test the VPN tunnel. I don't know how to create virtual IP addresses and attach them to a physical interface using NAT in OPNsense. There are three types of NAT in OPNsense, and I'm unsure which one to use: NAT 1:1, outbound NAT, or port forward NAT.

I need your help to understand what I'm doing wrong. On the Stormshield firewall, I created a virtual network, which is preceded by a physical network. On the OPNsense firewall, I didn't create a virtual network, but I added it in the IPsec Phase 2 configuration.

Can you guys give me an idea of the NAT and filtering configurations that i should add in the opnsense.

Here's what the VPN tunnel looks like:


| 192.168.2.0/24 | -------------- (Stormshield [virt: 10.100.100.0/24]) ====ipsec==== (Opnsense[virt: 10.200.200.0/24]) -------------- | 192.168.100.0/24 |


This is what i'm trying to test:

Ping from 192.168.100.0/24 to 10.100.100.0/24 , i have created an object in stormshield network , that is NATTED to a physical ip address 192.168.2.201/24, but i don't know how to do the same thing in opnsense for a physical machine !

Thank you for your time guys !

[Tech34]

Can anyone who knows how take time to answer?
i would really appreciate it !

[Monviech (Cedrik)]

Why do you need to NAT?

You have two networks:

192.168.2.0/24
192.168.100.0/24

There is no overlap between those networks.

Just create a policy based tunnel that connects these networks directly in Phase2.

[Tech34]

Hello , thank you for your answer,

I need to NAT because the two networks are behind a virutal Network :

| 192.168.2.0/24 | -------------- (Stormshield [virt: 10.100.100.0/24]) ====ipsec==== (Opnsense[virt: 10.200.200.0/24]) -------------- | 192.168.100.0/24 |


in my case my LAN 192.168.100.0/24 has to be behind the network 10.200.200.0/24 ,

First i wanna know if it's possible to do it in opnsense because i tried to do it with Stormshield and it worked perfectly , and if it's possible how could we do it ( create the virtual network and apply the nat rules to translate from the virtual network to the local network )

[Tech34]

Also , because we got alot of VPN tunnels in our stormshield firewall , we have to create virtual networks in order to avoid ip adress conflict

[Monviech (Cedrik)]

Do you mean this?

https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn-binat.html

[Tech34]

Hello,

thanks for the document , it worked !

[Tech34]

Hello again ,

It worked from the stormshield to the OPNsense :

<a href="https://ibb.co/qMDt3JL"><img src="https://i.ibb.co/SX6h4fD/Capture.png" alt="Capture" border="0" /></a>
but not from the OPNsense to stormshield !

[Tech34]

Quick update , the ICMP works, but when i try RDP , it doesn't work , i have a question , does the BINAT do PAT ?

[Monviech (Cedrik)]

MTU - MSS problem?

Ipsec uses PMTUD to discover the maximum trasmission size, that requires some more ICMP options to be allowed, not only echo request and reply.

Otherwise set a hard MSS size with a Firewall - Normalization rule in OPNsense.

Here its explained for wireguard but it applies to any vpn technology when PMTUD doesnt work. https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html

[Tech34]

when i sniffed packets using wireshark , this is what i see :

[Monviech (Cedrik)]

That looks like there is a SYN but no SYN-ACK. I don't know what the issue is though, it's a bit out of my reach right now.

[Tech34]

it's okay, thank you for your help , you really helped me alot , in the opnsense , it keeps blocking the RDP traffic :

[Tech34]

Hello, i solved my issue by reading this guy's post :

https://www.reddit.com/r/OPNsenseFirewall/comments/hrdzti/nat_not_working_with_ipsec_vpn/