IPSec Site-to-Site with one Site behind NAT

[vince]

So far this seems like a pretty straightforward thing to do, but it's only working partitially and I have no clue as to why. And I got lost in way to many posts like this one and helpful sites explaining stuff about ipsec. I really hope someone here can shed some light on this.

setup:
remote site | host R --- FW R === WAN_NAT L == FW L --- host L | local site

Net R: host R, FW R
Net DMZ: WAN_NAT L, FW L
Net L: FW L, host L

FW R:
* single opnsense box
* local ident: FW R public ip (static)
* remote ident: WAN_NAT L public ip (static)

WAN_NAT L:
* business dsl router only used for pppoe
* DMZ: CARP IP NET DMZ FW L
* NAT from NET DMZ to public ip (static)

FW_L:
* HA-setup with tunnel originating from host-ip (not the carp virtual ip)
* NAT from CARP in NET L to CARP in NET DMZ
* Outbound NAT: NET L to ! NET L via CARP IP NET L FW L
* local ident: WAN_NAT L public ip (static)
* remote ident: FW R public ip (static)

fw rules (FW R & FW L):
* allow everything on IF ipsec

connectivity (icmp/ssh/https):
Host R -> FW L: no
Host R -> Host L: no
Host L -> FW R: yes
Host L -> Host R: yes
FW R -> FW L: no
FW L -> FW R: no

FW R "ipsec statusall"

Code: [Select]

Status of IKE charon daemon (weakSwan 5.6.3, FreeBSD 11.1-RELEASE-p10, amd64):
  uptime: 45 minutes, since Jun 28 13:44:15 2018
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock counters
Listening IP addresses:
  <public IP FW R>
  <NET R IP FW R>
Connections:
        con1:  <public IP FW R>...<public IP FW L>  IKEv2, dpddelay=30s
        con1:   local:  [<public IP FW R>] uses pre-shared key authentication
        con1:   remote: [<public IP FW L>] uses pre-shared key authentication
        con1:   child:  <NET R> === <NET L> TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
        con1[1]: ESTABLISHED 45 minutes ago, <public IP FW R>[<public IP FW R>]...<public IP FW L>[<public IP FW L>]
        con1[1]: IKEv2 SPIs: af539d1d52e4b970_i db82b64dfdb13183_r*, pre-shared key reauthentication in 6 hours
        con1[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
        con1{3}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c9b931a6_i ccc8da4d_o
        con1{3}:  AES_CBC_256/HMAC_SHA2_512_256/MODP_2048, 65187 bytes_i (900 pkts, 0s ago), 152716 bytes_o (929 pkts, 0s ago), rekeying in 39 minutes
        con1{3}:   <NET R> === <NET L>

FW L "ipsec statusall"

Code: [Select]

Status of IKE charon daemon (strongSwan 5.6.3, FreeBSD 11.1-RELEASE-p10, amd64):
  uptime: 47 minutes, since Jun 28 13:44:19 2018
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 10
  loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock counters
Listening IP addresses:
  <NET DMZ IP FW L>
  <NET DMZ CARP IP FW L>
  <HA SYNC IP>
  <NET L IP FW L>
  <CARP IP NET L FW L>
Connections:
        con1:  <NET DMZ IP FW L>...<public IP FW R>  IKEv2, dpddelay=300s
        con1:   local:  [<public IP FW L>] uses pre-shared key authentication
        con1:   remote: [<public IP FW R>] uses pre-shared key authentication
        con1:   child:  <NET L> === <NET R> TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
        con1[1]: ESTABLISHED 47 minutes ago, <NET DMZ IP FW L>[<public IP FW L>]...<public IP FW R>[<public IP FW R>]
        con1[1]: IKEv2 SPIs: af539d1d52e4b970_i* db82b64dfdb13183_r, pre-shared key reauthentication in 6 hours
        con1[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
        con1{5}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ccc8da4d_i c9b931a6_o
        con1{5}:  AES_CBC_256/HMAC_SHA2_512_256/MODP_2048, 1509939 bytes_i (2455 pkts, 1s ago), 301572 bytes_o (1971 pkts, 1s ago), rekeying in 37 minutes
        con1{5}:   <NET L> === <NET R>

What seems to be a bit weird to me is that there is no part like

Code: [Select]

Routed Connections:
        con1{2}:  ROUTED, TUNNEL, reqid 2
        con1{2}:   <NET X> === <NET Y>
like on another ipsec connection we have running. Is this part even needed?


So, in the end it comes down to two questions:
1) what went wrong regarding connectivity?
2) (bonus) how do I get a failover tunnel from an HA-FW to another site?

If there is more info needed I would be happy to provide that. All boxes are running 18.1.10 btw.

[franco]

Did you check this already? https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html


Cheers,
Franco

[mimugmail]

Stop Tunnels and start ping in host L and check the logs of FW L

[mimugmail]

P.S.: I for myself prefer ID private IP instead of WAN IP

[vince]

Did you check this already? https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html


Cheers,
Franco

No, I did not figure I need to, since I do not have the same network in use in multiple locations. Do I still need to use BINAT, and if so, why?