IPsec NAT not working

[fraenki]

OPNsense 15.7.11-amd64

Following the information given here I've added IPsec configuration to NAT a local network before sending the traffic through the tunnel. But it seems that this IPsec-related NAT configuration is not working on OPNsense.

Setup:

• IPsec tunnel network: 172.16.1.0/24 (local) <=> 10.1.2.0/24 (remote)
• NAT network: 192.168.0.0/24 should be translated to 172.16.1.254 for destination 10.1.2.0/24

I can see that a NAT rule is actually added:

# pfctl -s nat | grep 10.1.2.0
nat on enc0 inet from 192.168.0.0/24 to 10.1.2.0/24 -> 172.16.1.254

When doing a ping 10.1.2.1 from a host in 192.168.0.0/24, I can see with tcpdump that the packets arrive at the appropiate firewall interface, but they are not forwarded to 10.1.2.0/24 (at least there is no matching traffic on interface enc0).

The states table shows this:

# pfctl -ss |grep 10.1.2.1
all icmp 10.1.2.1:26770 <- 192.168.0.1:26770       0:0
all icmp XXX_WAN_IP_XXX:65464 (192.168.0.1:26770) -> 10.1.2.1:65464       0:0

The firewall log does not show any denied packages.

[fraenki]

Just discovered a similar report:
https://forum.opnsense.org/index.php?topic=989.0

[AdSchellevis]

@fraenki we've tested the feature and could reproduce the issue over here. There we're two issues:

1. ipfw (traffic shaper, captive portal) was blocking your traffic, a6c6016 fixes this issue
2. The identification of the leftsubnet was faulty, which caused connection issues after reboot. This should be fixed by c72484e

If you have the time, could you test the fixes on your end as well?
I will close this issue for now, if for some reason it's not completely solved, just let me know and we will reopen it.

[AdSchellevis]

Thanks to markt.de for funding this fix!

[fraenki]

@AdSchellevis Good job! Works as expected now. :-)