IPsec NAT not working

[fraenki]

OPNsense 15.7.11-amd64

Following the information given here I've added IPsec configuration to NAT a local network before sending the traffic through the tunnel. But it seems that this IPsec-related NAT configuration is not working on OPNsense.

Setup:

• IPsec tunnel network: 172.16.1.0/24 (local) <=> 10.1.2.0/24 (remote)
• NAT network: 192.168.0.0/24 should be translated to 172.16.1.254 for destination 10.1.2.0/24

I can see that a NAT rule is actually added:

# pfctl -s nat | grep 10.1.2.0
nat on enc0 inet from 192.168.0.0/24 to 10.1.2.0/24 -> 172.16.1.254

When doing a ping 10.1.2.1 from a host in 192.168.0.0/24, I can see with tcpdump that the packets arrive at the appropiate firewall interface, but they are not forwarded to 10.1.2.0/24 (at least there is no matching traffic on interface enc0).

The states table shows this:

# pfctl -ss |grep 10.1.2.1
all icmp 10.1.2.1:26770 <- 192.168.0.1:26770       0:0
all icmp XXX_WAN_IP_XXX:65464 (192.168.0.1:26770) -> 10.1.2.1:65464       0:0

The firewall log does not show any denied packages.

[fraenki]

Just discovered a similar report: https://forum.opnsense.org/index.php?topic=989.0

[AdSchellevis]

@fraenki we've tested the feature and could reproduce the issue over here. There we're two issues: 1) ipfw (traffic shaper, captive portal) was blocking your traffic, https://github.com/opnsense/core/commit/a6c6016fa79a4c76379c7d64134f941d12ff973f fixes this issue 2) The identification of the leftsubnet was faulty, which caused connection issues after reboot. This should be fixed by https://github.com/opnsense/core/commit/c72484ec9e1d9f341df5c0bf3a0bd5f3f09483a7

If you have the time, could you test the fixes on your end as well? I will close this issue for now, if for some reason it's not completely solved, just let me know and we will reopen it.

[AdSchellevis]

Thanks to markt.de for funding this fix!

[fraenki]

@AdSchellevis Good job! Works as expected now. :-)