opensense-docs/source/manual/how-tos/ipsec-s2s-binat.rst

=================================
IPSec BINAT (NAT before IPSec)
=================================


.. nwdiag::
  :scale: 100%

    nwdiag {

      span_width = 90;
      node_width = 180;

      network LANA {
        label = " LAN Site A";
        address ="10.0.1.0/24";
        lana [label="Network A"];
      }

      network NATA {
        label = " Tunnel network";
        address ="192.168.1.0/24";
        lana [label="Network A"];
        virtuala [label="Virtual net A", shape = cloud];
      }

      network NATB {
        label = " Tunnel network";
        address ="192.168.2.0/24";
        virtuala [label="Virtual net A", shape = cloud]
        virtualb [label="Virtual net B", shape = cloud];
      }

      network LANB  {
        label = " LAN Site B";
        virtualb [label="Virtual net B", shape = cloud];
        lanb [label="Network B"];
      }

    }


Assume company A has local LAN 10.0.1.0/24 and company B has local LAN 10.0.2.0/24.
Also we assume that on both sides the other networks are already in use, e.g. in company A the network 10.0.2.0/24 is used for Voice and in company B network 10.0.1.0/24 is used for Guest Wi-Fi.

We have to define new networks for the Phase 2 with unused ones and create NAT entries to reach the final systems.

To make it easier we create a Phase2 with company A using 192.168.1.0/24 as *Local Network* and 192.168.2.0/24 as *Remote Network* and with company B using 192.168.2.0/24 as *Local network* and 192.168.1.0/24 as *Remote Network*.
Now we need to add on each side the local LAN in the field "Manual SPD entries". So for company A we set 10.0.1.0/24 in the field and for B 10.0.2.0/24.
This allows the NAT process to speak with the Security Policy Database.

Finally we have to create NAT entries since a client in LAN A (10.0.1.10) tries to reach 192.168.2.10, but this address has to be rewritten to 10.0.2.10 on Firewall B.

Create the rule like in the screenshot and vice versa on Firewall A:

.. image:: images/opnsense_nat_binat_ipsec.png
IPsec: nat before ipsec, add graph and limitation 2020-02-26 15:32:24 +00:00			`=================================`
			`IPSec BINAT (NAT before IPSec)`
			`=================================`


			`.. nwdiag::`
			`:scale: 100%`

			`nwdiag {`

			`span_width = 90;`
			`node_width = 180;`

			`network LANA {`
			`label = " LAN Site A";`
			`address ="10.0.1.0/24";`
			`lana [label="Network A"];`
			`}`

			`network NATA {`
			`label = " Tunnel network";`
			`address ="192.168.1.0/24";`
			`lana [label="Network A"];`
			`virtuala [label="Virtual net A", shape = cloud];`
			`}`

			`network NATB {`
			`label = " Tunnel network";`
			`address ="192.168.2.0/24";`
			`virtuala [label="Virtual net A", shape = cloud]`
			`virtualb [label="Virtual net B", shape = cloud];`
			`}`

			`network LANB {`
			`label = " LAN Site B";`
			`virtualb [label="Virtual net B", shape = cloud];`
			`lanb [label="Network B"];`
			`}`

			`}`

Add article for BINAT with IPSEC like in core/#440 (#12) 2018-02-28 15:43:29 +00:00
			`Assume company A has local LAN 10.0.1.0/24 and company B has local LAN 10.0.2.0/24.`
Fix scaling of small images, fix typos, clarify IPsec s2s (#78) 2018-11-07 16:45:54 +00:00			`Also we assume that on both sides the other networks are already in use, e.g. in company A the network 10.0.2.0/24 is used for Voice and in company B network 10.0.1.0/24 is used for Guest Wi-Fi.`
Add article for BINAT with IPSEC like in core/#440 (#12) 2018-02-28 15:43:29 +00:00
			`We have to define new networks for the Phase 2 with unused ones and create NAT entries to reach the final systems.`

docs(ipsec): Gives hint for Phase 2 local network (#239) 2020-03-27 10:23:34 +00:00			`To make it easier we create a Phase2 with company A using 192.168.1.0/24 as Local Network and 192.168.2.0/24 as Remote Network and with company B using 192.168.2.0/24 as Local network and 192.168.1.0/24 as Remote Network.`
Add article for BINAT with IPSEC like in core/#440 (#12) 2018-02-28 15:43:29 +00:00			`Now we need to add on each side the local LAN in the field "Manual SPD entries". So for company A we set 10.0.1.0/24 in the field and for B 10.0.2.0/24.`
			`This allows the NAT process to speak with the Security Policy Database.`

			`Finally we have to create NAT entries since a client in LAN A (10.0.1.10) tries to reach 192.168.2.10, but this address has to be rewritten to 10.0.2.10 on Firewall B.`

IPsec: nat before ipsec, add graph and limitation 2020-02-26 15:32:24 +00:00			`Create the rule like in the screenshot and vice versa on Firewall A:`
Add article for BINAT with IPSEC like in core/#440 (#12) 2018-02-28 15:43:29 +00:00
			`.. image:: images/opnsense_nat_binat_ipsec.png`