SNAT for traffic through route based VPN (VTI) ?

Started by zemanek, October 04, 2024, 11:40:59 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 04, 2024, 11:40:59 AM
Hello,

I have setup route based VPN named T1 according to https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html:

Local VTI address: 10.101.177.2
Remote VTI address: 10.101.177.1

OPNsense WAN address: 10.100.177.10/24

This created interface T1, I created gateway using this interface with IP 10.101.177.1 and added route to 10.0.1.0/24 through this gateway.

Now when I PING a host in 10.0.1.0/24 from the OPNsense , I can see in packet capture that packets going into the VPN have source IP address 10.101.177.2 (local VTI address).

I need them to have source IP address 10.100.177.10. How do I do that? I tried setting SNAT for the T1 interface to have WAN interface address for anything going to 10.0.1.0/24 but that didn't help.
October 04, 2024, 01:06:22 PM #1
You need to set tunables to change the filter behavior of ipsec.

https://docs.opnsense.org/manual/vpnet.html#route-based-vti

Please note that you can ONLY have either filtering and nat on enc0 (which is shown as IPsec in the GUI), OR on ipsecX interfaces.
Hardware:
DEC740
October 04, 2024, 02:01:19 PM #2
Thanks. I missed that. So I set those tunables. Now the ICMP does not even get into the VPN. I also noticed

Warning
Currently it does not seem to be possible to add NAT rules for if_ipsec(4) devices.

So I guess I am out of luck here...
October 04, 2024, 02:53:34 PM #3
https://forum.opnsense.org/index.php?topic=36254

Read this whole thread and a lot of your questions will be answered. :)

Hardware:
DEC740
October 04, 2024, 04:49:13 PM #4
Quote from: zemanek on October 04, 2024, 11:40:59 AM
I need them to have source IP address 10.100.177.10.

Why?
This would lead into asymmetric routing.
October 07, 2024, 12:41:42 PM #5
@Monviech

Doesn't work for me. It seems that if I enable SNAT for the ipsec interface (using WAN address as source IP) it is sending testing ICMP packets through WAN interface and not through ipsec interface as it should according to route table.

October 07, 2024, 04:08:22 PM #6
Well, I looked at configuration XML and found that there are some references to nonexistent ipsec interfaces. As I previously encountered an issue with configuration of older OPNsense version / other instance with mixed up configuration after numerous experiments, I decided to do a factory reset and configure everything from scratch.

But now whenever I apply new IPsec connection, I loose ALL connectivity to the OPNsense instance (I have to do a factory reset via the console).
Print
Go Up Pages1
User actions