Ipsec with 1:n NAT and virtual IP

[m256]

Hello,
I read through all docs but still not sure how am I meant to do that.
My setup: WAN (192.168.4.2), LAN (10.0.0.5/24). I just need to access remote networks over ipsec tunnel, nothing needs to be reachable from other side. Remote side requires me to have local network for P2 192.168.5.1/32 and I am doing NAT before ipsec. Unfortunately, seems like NAT is not taking place before ipsec no matter what i do. Tunnel is established, traffic allowed.
I tried outgoing nat, one-to-one nat, playing around with virtual ip aliases, routing etc.
Should I use reqid + manual SPD instead? Or maybe VTI?
Please help, already spent more nights than expected with that:(

BTW Find out I need to set 192.168.5.1 in P1 otherwise tunnels is not established.

[viragomann]

So you might already have a p2 with 192.168.5.1 as local address and the proper remote network.

Then you need a one-to-one NAT rule:
Interface: IPSec
Type: NAT
External network: 192.168.5.1/32
Source: 10.0.0.0/24 (your local network)
Destination: remote network

This NAT rule should translate the source IP to 192.168.5.1, when the packet is going out to IPSec.

[m256]

I tried that, but didn't work. tcpdump showed no nat took place. Seems like ipsec precedes natting rules.

[viragomann]

The NAT should happen before IPSec. IPSec should only see 192.168.5.1 as local IP, which is configured in its p2.
Hence, I'd expect to see 192.168.5.1 as source in packets on the IPSec interface.

[Monviech (Cedrik)]

The source nat only takes place if an interface with the IP address exists on your local firewall.

Try creating a VIP or loopback interface with the IP you want to use for the source nat.

[m256]

I have already tried making 192.168.5.1 (the IP i want local network to be for the remote side of the tunnel) an IP alias for loopback, WAN and LAN, but no luck. Didn't tried making it nonvirtual if yet.
Because of that and other posts here on the forum I thought manual spd entries is the only way to go.
What's strange is that P1 local id seems to affect what IP is going to be used for IKE connection - if I go with 192.168.5.1 IKE packet is no being sent out, if I enter my WAN ip into the P1 ID, the tunnel gets connected.

[viragomann]

Okay, I just tested this on my IPSec to a remote pfSense instance.
I created the NAT rule and the phase 2 and the natting worked immediately.

It's as simple as described above. No virtual IP needed for natting the traffic. It's sufficient that the traffic is routed properly.

So I guess, you did something wrong, or even the remote site.

[m256]

Thanks, for your reply.
I kept getting this error when no virtual ip alias was assigned:
04[NET] error writing to socket: Can't assign requested address

[viragomann]

Did you try to reconnect the p1?

Is the stated IP configured as local in the p2?

[m256]

I kept getting this error when no virtual ip alias was assigned
- that's bit different topic, but seems like opnsense uses the "Local addresses" textbox in ipsec not only for p1 auth, but for outgoing ike traffic as well. So you can't just use whatever ip you want, but you have to use your wan ip. If that's true, you probably have to use virtual ip for your wan if wan is behind nat and might keep changing..

[viragomann]

I kept getting this error when no virtual ip alias was assigned
- that's bit different topic, but seems like opnsense uses the "Local addresses" textbox in ipsec not only for p1 auth,

So you have configured a "new connection".
I don't know, if NAT works with that. I even cannot see, where you can state the p2 local network in these settings.

I talked about legacy tunnel settings with p1 and p2.