Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Ipsec with 1:n NAT and virtual IP
« previous
next »
Print
Pages: [
1
]
Author
Topic: Ipsec with 1:n NAT and virtual IP (Read 179 times)
m256
Newbie
Posts: 6
Karma: 0
Ipsec with 1:n NAT and virtual IP
«
on:
November 24, 2024, 04:47:32 pm »
Hello,
I read through all docs but still not sure how am I meant to do that.
My setup: WAN (192.168.4.2), LAN (10.0.0.5/24). I just need to access remote networks over ipsec tunnel, nothing needs to be reachable from other side. Remote side requires me to have local network for P2 192.168.5.1/32 and I am doing NAT before ipsec. Unfortunately, seems like NAT is not taking place before ipsec no matter what i do. Tunnel is established, traffic allowed.
I tried outgoing nat, one-to-one nat, playing around with virtual ip aliases, routing etc.
Should I use reqid + manual SPD instead? Or maybe VTI?
Please help, already spent more nights than expected with that:(
BTW Find out I need to set 192.168.5.1 in P1 otherwise tunnels is not established.
Logged
viragomann
Full Member
Posts: 213
Karma: 7
Re: Ipsec with 1:n NAT and virtual IP
«
Reply #1 on:
November 25, 2024, 11:18:00 pm »
So you might already have a p2 with 192.168.5.1 as local address and the proper remote network.
Then you need a one-to-one NAT rule:
Interface: IPSec
Type: NAT
External network: 192.168.5.1/32
Source: 10.0.0.0/24 (your local network)
Destination: remote network
This NAT rule should translate the source IP to 192.168.5.1, when the packet is going out to IPSec.
Logged
m256
Newbie
Posts: 6
Karma: 0
Re: Ipsec with 1:n NAT and virtual IP
«
Reply #2 on:
November 26, 2024, 01:09:08 pm »
I tried that, but didn't work. tcpdump showed no nat took place. Seems like ipsec precedes natting rules.
Logged
viragomann
Full Member
Posts: 213
Karma: 7
Re: Ipsec with 1:n NAT and virtual IP
«
Reply #3 on:
November 26, 2024, 01:16:08 pm »
The NAT should happen before IPSec. IPSec should only see 192.168.5.1 as local IP, which is configured in its p2.
Hence, I'd expect to see 192.168.5.1 as source in packets on the IPSec interface.
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1622
Karma: 178
Re: Ipsec with 1:n NAT and virtual IP
«
Reply #4 on:
November 26, 2024, 02:11:09 pm »
The source nat only takes place if an interface with the IP address exists on your local firewall.
Try creating a VIP or loopback interface with the IP you want to use for the source nat.
Logged
Hardware:
DEC740
m256
Newbie
Posts: 6
Karma: 0
Re: Ipsec with 1:n NAT and virtual IP
«
Reply #5 on:
Today
at 08:32:10 am »
I have already tried making 192.168.5.1 (the IP i want local network to be for the remote side of the tunnel) an IP alias for loopback, WAN and LAN, but no luck. Didn't tried making it nonvirtual if yet.
Because of that and other posts here on the forum I thought manual spd entries is the only way to go.
What's strange is that P1 local id seems to affect what IP is going to be used for IKE connection - if I go with 192.168.5.1 IKE packet is no being sent out, if I enter my WAN ip into the P1 ID, the tunnel gets connected.
Logged
viragomann
Full Member
Posts: 213
Karma: 7
Re: Ipsec with 1:n NAT and virtual IP
«
Reply #6 on:
Today
at 03:06:17 pm »
Okay, I just tested this on my IPSec to a remote pfSense instance.
I created the NAT rule and the phase 2 and the natting worked immediately.
It's as simple as described above. No virtual IP needed for natting the traffic. It's sufficient that the traffic is routed properly.
So I guess, you did something wrong, or even the remote site.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Ipsec with 1:n NAT and virtual IP
