OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • [SOLVED] IPSec NAT not working
« previous next »
  • Print
Pages: [1]

Author Topic: [SOLVED] IPSec NAT not working  (Read 4167 times)

Kofl

  • Newbie
  • *
  • Posts: 27
  • Karma: 5
    • View Profile
[SOLVED] IPSec NAT not working
« on: May 05, 2018, 11:33:43 am »
Hello,

we are struggling with the setup of IPSec NAT although I did it based on the documentation. So far the IPSec tunnel works fine:

Source Network: 192.168.16.0/24
Destination Network: 10.17.0.0/16

Now we also have to tunnel the source network 10.51.18.0/24 over that VPN connection.

Manual SPD entries: 10.51.18.0/24 for phase 2

Firewall: NAT: One-to-One
External network: 192.168.16.0/24
Source: 10.51.18.0/24
Destination: 10.17.0.0/16

But the packets are not translated, tcpdump shows:

IP 10.51.18.90 > 10.17.3.2: ICMP echo request

Any hint on what we are missing?

Thanks,
Thomas
« Last Edit: May 05, 2018, 02:36:31 pm by Kofl »
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6294
  • Karma: 432
    • View Profile
Re: IPSec NAT not working
« Reply #1 on: May 05, 2018, 12:29:29 pm »
On Nat try Destination net /24 and try to ping an IP with 0.X

Perhaps a bug when netmask are different
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

Kofl

  • Newbie
  • *
  • Posts: 27
  • Karma: 5
    • View Profile
Re: IPSec NAT not working
« Reply #2 on: May 05, 2018, 01:17:43 pm »
Thanks,

unfortunately same result:

Destination: 10.17.0.0/24

> ping 10.17.0.2

10.51.18.90 > 10.17.0.2: ICMP echo request
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6294
  • Karma: 432
    • View Profile
Re: IPSec NAT not working
« Reply #3 on: May 05, 2018, 01:24:32 pm »
Destination Peer is IP or Fqdn in P1?
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

Kofl

  • Newbie
  • *
  • Posts: 27
  • Karma: 5
    • View Profile
Re: IPSec NAT not working
« Reply #4 on: May 05, 2018, 01:26:02 pm »
Its IP
Logged

Kofl

  • Newbie
  • *
  • Posts: 27
  • Karma: 5
    • View Profile
Re: IPSec NAT not working
« Reply #5 on: May 05, 2018, 01:59:38 pm »
rules.debug also looks fine:

Code: [Select]
binat on enc0 from 10.51.18.0/24 to 10.17.0.0/24 -> 192.168.16.0/24

Makes also no difference if I try NAT instead of BINAT

Code: [Select]
nat on enc0 from 10.51.18.0/24 to 10.17.0.0/24 -> 192.168.16.0/24



« Last Edit: May 05, 2018, 02:27:38 pm by Kofl »
Logged

Kofl

  • Newbie
  • *
  • Posts: 27
  • Karma: 5
    • View Profile
Re: IPSec NAT not working
« Reply #6 on: May 05, 2018, 02:36:19 pm »
Solved,

https://doc.pfsense.org/index.php/NAT_with_IPsec_Phase_2_Networks:

Quote
In a packet capture, the actual address will be shown on outbound traffic, not the translated address. This does not indicate any problem.

As soon as the admin of the other site allowed the traffic, everything went fine:

Code: [Select]
14:31:26.676550 (authentic,confidential): SPI 0xbdb31e3b: IP 10.51.18.90 > 10.17.3.2: ICMP echo request, id 1, seq 873, length 40
14:31:26.712898 (authentic,confidential): SPI 0xcb1e1127: IP 10.17.3.2 > 192.168.16.90: ICMP echo reply, id 1, seq 873, length 40

Thanks @mimugmail
« Last Edit: May 05, 2018, 02:39:09 pm by Kofl »
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • [SOLVED] IPSec NAT not working
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2