Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Replies 6 replies
  • Subscribers 40 subscribers
  • Views 659 views
  • Users 0 members are here
Options
Suggested

Trouble routing a packet from site A via site B to site C (with SNAT)

apijnappels

I have something strange for the following situation.

VPN connection between site A and site B (tried both policy-based and route-based) and a policy-based VPN-connection between site B and site C.

Intention is to reach site C from site A while there is no possibility to add Site A's subnet to the tunnel between B and C. Therefore from B the traffic should be SNATted to a site B ip-address.

  • Site C's subnet is in the tunnel between site A and site B.
  • Site A can succesfully reach resources at site B.
  • Subnet Site A: 10.0.0.0/24
  • Subnet Site B: 192.168.21.0/24
  • Subnet Site C: 10.23.1.0/24

At site B we did a packet capture to see what happens with the traffic and this is what happens with a ping from site A to site B, which is expected output, packet comes in gets forwarded, reply comes in and gets forwarded back to source:

However, when pinging to site C we see the packet arriving on ipsec0 just as above, then the second packet is weird; it lists traffic from ipsec0 to ipsec0 as status Generated (and not forwarded) with the source and destination address inverted and from the pinging station at site A they receive a really strange output:

  • I tried adding ipsec_route to 10.23.1.0/24 net from the console at site B
  • tried it without the ipsec_route
  • for route-based VPN I also created a SD-WAN route to 10.0.0.0/24 network to the tunnel interface
  • Route precedence is: VPN, SD-WAN, Static
  • tried to NAT traffic for 10.23.1.0/24 with firewall rule with Linked NAT rule
  • tried to NAT this subnet directly from the policy based ipsec connection

Most of the time it is just a request timeout and at some config we got the above strange output from ping.

Site A is a OPNsense firewall, site B is the Sophos XG with 19.5.3 MR-3 version on it. Site C has Cisco firewall IIRC.

I don't know what else I can try or where I am making a thinking fault. I have similar setups on other sites where traffic from A is SNATTED at B to C and they all work flawlessly, but not on this occasion.

Anyone have a clue what I'm missing and why the packet capture status says Generated instead of Forwarded?



Added TAGs
[edited by: Raphael Alganes at 1:52 AM (GMT -7) on 12 Jul 2024]
Parents
  • 0

    Hi @  ,

    Let me take time to put a clear topolgy:

                                                                                             clientB

                                                                                                |

    clientA-------SiteA(OPNSense)------rbvpn tunnel-----SiteB(SFOS)----------policy base IPsec tunnel---------SiteC(Cisco)----clientC

    It is possible for clientA reaching clientC

    1) keep route based ipsec tunnel between SiteA and SiteB; on SFOS (SiteB), chose IP version: IPv4, traffic selectors: Any, Any; please check if Any/Any traffic selectors is supported in OPNSense.

    2) Assign ip address on xfrm interface on SiteB and also on SiteB's interface.

    3) In SiteA, add two static routes - one to reach clientB subnet via tunnel interface (its equivalent on OPNSense); 2nd route to reach clientC via tunnel interface.

        In SiteB, add a static route to rach clientA via xfrm interface

    4) On SiteB, create policy based Ipsec tunnel, with local subnets=clientA subnet, clientB subnet; remote subnet=clientC subnet

    5) On SiteC, create policy based Ipsec tunnel, with local subnet=clientC subnet; remote subnets=clientA subnet, clientB subnet 

    * Add firewall rules on each of the sites correctly and routing on clients appropriately. 

    * clientA can reach clientC or vice-versa.

    Let us know how it goes.

Reply
  • 0

    Hi @  ,

    Let me take time to put a clear topolgy:

                                                                                             clientB

                                                                                                |

    clientA-------SiteA(OPNSense)------rbvpn tunnel-----SiteB(SFOS)----------policy base IPsec tunnel---------SiteC(Cisco)----clientC

    It is possible for clientA reaching clientC

    1) keep route based ipsec tunnel between SiteA and SiteB; on SFOS (SiteB), chose IP version: IPv4, traffic selectors: Any, Any; please check if Any/Any traffic selectors is supported in OPNSense.

    2) Assign ip address on xfrm interface on SiteB and also on SiteB's interface.

    3) In SiteA, add two static routes - one to reach clientB subnet via tunnel interface (its equivalent on OPNSense); 2nd route to reach clientC via tunnel interface.

        In SiteB, add a static route to rach clientA via xfrm interface

    4) On SiteB, create policy based Ipsec tunnel, with local subnets=clientA subnet, clientB subnet; remote subnet=clientC subnet

    5) On SiteC, create policy based Ipsec tunnel, with local subnet=clientC subnet; remote subnets=clientA subnet, clientB subnet 

    * Add firewall rules on each of the sites correctly and routing on clients appropriately. 

    * clientA can reach clientC or vice-versa.

    Let us know how it goes.

Children
No Data
Unfiltered HTML