OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • IPSEC + BiNAT: manual spd entries added wrong
« previous next »
  • Print
Pages: [1]

Author Topic: IPSEC + BiNAT: manual spd entries added wrong  (Read 3437 times)

ruffy91

  • Jr. Member
  • **
  • Posts: 79
  • Karma: 9
    • View Profile
IPSEC + BiNAT: manual spd entries added wrong
« on: May 29, 2018, 10:41:49 am »
I have the following config:

Firewall A:
- Local Interface "LAN" 10.1.0.1/24

- 2 IPSEC Tunnels A+B

- Phase 1 to Firewall B: irrelevant
- Phase 2 to Firewall B
   - Tunnel A is 10.1.0.0/24 local to 10.2.0.0/24 remote

- Phase 1 to Firewall C: irrelevant
- Phase 2 to Firewall C
  - Tunnel B is 10.3.0.0/24 local to 10.4.0.0/24 remote
  - Tunnel B also has Manual SPD Entries: 10.1.0.0/24

Firewall C:
- Phase 1 to Firewall A: irrelevant
- Phase 2 to Firewall A:
  - Tunnel B is 10.4.0.0/24 local to 10.4.0.0/24 remote


We now have a BiNAT setup for:
Interface: IPSEC
Type: BiNAT
External Net: 10.3.0.0/24
Source: 10.1.0.0/24
Destination: 10.4.0.0/24

We no send a packet from 10.1.0.100 to 10.4.0.1.100
We see the packet arrive on "LAN" in a packet dump
We do NOT see the packet on the "IPSEC" interface

As a 2nd test we send a packet from 10.1.0.100 to 10.2.0.100, we can see it on "LAN" and also on the "IPSEC" interface.

I conclude that our Packet gets lost between LAN and IPSEC interfaces on our OPNSense.
Can anyone give me a hint on how to troubleshoot this issue?

Edit:
- clarified configuration
« Last Edit: May 29, 2018, 01:00:41 pm by ruffy91 »
Logged

ruffy91

  • Jr. Member
  • **
  • Posts: 79
  • Karma: 9
    • View Profile
Re: IPSEC + BiNAT: packet gets lost
« Reply #1 on: May 29, 2018, 12:23:03 pm »
OK,

We are affected by:
https://github.com/opnsense/core/issues/2173
https://github.com/opnsense/core/issues/1773

We manually added the correct spd and it works.
But this does not survive a reboot.

How can we make the spdadd entry persistent?

Edit:
We added a sh script in /usr/local/etc/rc.syshook.d/99-spdadd.start
Code: [Select]
#!/bin/sh
/sbin/setkey -f /usr/local/scripts/ipsec/spd.conf
in spd.conf we added the required entries:
Code: [Select]
spdadd <src_net> <dst_net> any -P out ipsec esp/tunnel/<local_wan_ip>-<remote_wan_ip>/unique:<id>;
The spd entry now survives reboots.
« Last Edit: May 29, 2018, 02:47:38 pm by ruffy91 »
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13976
  • Karma: 1211
    • View Profile
Re: IPSEC + BiNAT: manual spd entries added wrong
« Reply #2 on: May 29, 2018, 06:39:15 pm »
Not sure how we can put this into a feature yet.

Are these dynamic IPs? Do these belong to a particular phase 2? Why is this manual creation necessary?


Cheers,
Franco
Logged

ruffy91

  • Jr. Member
  • **
  • Posts: 79
  • Karma: 9
    • View Profile
Re: IPSEC + BiNAT: manual spd entries added wrong
« Reply #3 on: May 30, 2018, 12:15:30 am »
I have 2 independent problems which both lead to wrong entries:

Multiple phase 2 entries -> spd entry belongs to the specific phase 2 where I added it in the UI

Remote is behind NAT -> peer identifier is a private ip (10.200.x.x) in this case which is added to the spd instead of the real IP (62.x.x.x) which should be used for the spd.


The desired behaviour would be to take the part after "out ipsec" from the spd entry of the existing phase 2 tunnel where we added the Additional SPD in the UI.
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • IPSEC + BiNAT: manual spd entries added wrong
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2