Archives/opensense-docs
2
0
Fork 0
mirror of https://github.com/opnsense/docs synced 2024-11-18 21:28:29 +00:00
Code Issues Projects Releases Wiki Activity
5b694358f7
opensense-docs/source/manual/how-tos/ipsec-s2s-conn-binat.rst

108 lines
3.7 KiB
ReStructuredText
Raw Normal View History

VPN/IPsec - add NAT before IPsec example.
2022-12-29 16:34:38 +00:00
========================================
IPsec - NAT before IPsec
========================================
.. contents:: Index
--------------------------------
Network topology
--------------------------------
The schema below describes the situation we are implementing.
Two networks (A,B) to peer both firewalls, where the Ipsec policy includes :code:`10.1.0.0/24 <-> 192.168.1.0/24`,
but locally side A uses :code:`10.99.0.0/24`.
How to setup the tunnel itself is explained in the :doc:`ipsec-s2s-conn` document.
.. nwdiag::
:scale: 100%
nwdiag {
span_width = 90;
node_width = 180;
network A {
address = "[real] 10.99.0.0/24\n[policy] 10.1.0.0/24";
pclana [label="PC Site A\n10.99.0.20",shape="cisco.pc"];
fwa [shape = "cisco.firewall", address="10.99.0.1/24"];
}
network Ext {
address = "10.10.1.0/24";
label = "Ext";
fwa [shape = "cisco.firewall", address="10.10.1.1/24"];
fwb [shape = "cisco.firewall", address="10.10.1.2/24"];
}
network B {
address = "192.168.1.0/24"
fwb [shape = "cisco.firewall", address="192.168.1.20"];
pclanb [label="PC Site B\n192.168.1.20",shape="cisco.pc"];
}
}
--------------------------------
Preparations
--------------------------------
Make sure the tunnel is up and running before trying out the NAT part, then edit the child entry and input a :code:`Reqid`
there which isn't used in any of the other tunnels. For this example we choose :code:`100` here.
.. Note::
It's imperative to choose a static number here in order to be able to bind policies to the current tunnel.
--------------------------------
Add manual security policies
--------------------------------
In order for IPsec to trust the local network (:code:`10.99.0.0/24`) a manual policy needs to be added, go to
the "Manual" tab in :menuselection:`VPN->IPsec->Security Policy Database`. Next add a new entry containing the following items:
===========================================
======================= ===================
Property site A
======================= ===================
Reqid **100**
Source network **10.0.99.0/24**
======================= ===================
.. Tip::
When the "Destination network" is left empty, the other end (in this case 192.168.1.0/24) will be received from the tunnel.
In case multiple networks exist in the same child policy it's better to define which one this entry belongs too.
.. Tip::
After changing manual security policies, make sure the tunnel is reconnected (restart or disconnect and connect)
as the registration is being arranged using an `updown event <https://docs.strongswan.org/docs/5.9/plugins/updown.html>`__
--------------------------------
Configure NAT
--------------------------------
To map the networks, we will use a one to one rule created from the :menuselection:`Firewall->NAT->One-to-One` menu option.
The following settings apply here:
=================================================================================
======================= =================== =====================================
Property site A Notes
======================= =================== =====================================
Interface **IPsec**
Type **BINAT** Two way mapping
External network **10.1.0.0** As defined in the child connection
Source **10.99.0.0/24** The local network
Destination **192.168.1.0/24** The remote network
======================= =================== =====================================
.. Note::
When using BINAT all networks need to be equally sized (:code:`/24` in this case)
Reference in New Issue Copy Permalink