Advice on IPSec / Nat network


#1

[attachment=148]

I’m new to VyOs, and more an infrastructure person than networking. However I am putting together the network in the picture

I have a vm on Azure that is Nat’d behind 1.1.1.1.
There is a Cisco ASA running IPSec at 2.2.2.2
through the tunnel, there is a web server at 3.3.3.3, I can only use 10.1.1.1 to access it.

On my end, there is a web app that needs to be connected to the web app.

So far I have managed to bring the VPN up, but I’m unable to get any traffic to flow through the tunnel.

I am unsure of the best approach for the subnet

My first approach was to use 10.1.1.0/24 on the subnet, with 10.1.1.1 on the nic with the intention of Nat’ing that address, however I couldn’t get any traffic to flow through the tunnel.

Secondly, I had a 192.168.0.0/24 / 192.168.0.1 on the nic, and put 10.1.1.1 on dum0 then used that to Nat. in this config I couldn’t bring the VPN up because it complained that local-address (of 10.1.1.1) wasn’t a local address.

I’m not sure if either of these are the best approach, or if I should be doing something completely different. I’m hoping someone can point me in the right direction.


#2

Hi michaelb,

Welcome to VyOS! :slight_smile:

Im not clear on exactly what you are trying to do or how you have approached it. Can you provide the output of ‘show interfaces’ and ‘show ip route’ and the routing table of the Cisco router? (Feel free to sanitize the output before giving it) Depending on the type of tunnel you have created you may need to have routes in place to allow your web app to speak to your web-server. I’ve never used Azue so dont know what tunnel types the offer.

I have attached an image of what I think you are trying to do, on it I assume that your Web Server has an ip of 10.1.1.1 and you want to access it from the Web App?

In any case I would approach this by creating a 1-to-1 (IE. /30 tunnel) GRE tunnel (encrypted with IPSec) between the VyOS and your cisco device and use OSPF to announce network ranges between them. ( Static routes will also work )


#3

Thank you for the reply jhendry :slight_smile:

Unfortunately the Cisco is on a vendors network, and I have limited information about.

crypto map outside_map 56 match address xodia_56_cryptomap
crypto map outside_map 56 set pfs
crypto map outside_map 56 set peer 1.1.1.1
crypto map outside_map 56 set transform-set ESP-AES-256-SHA
crypto map outside_map 56 set nat-t-disable

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *****

network-object host 10.1.1.1
network-object host 10.1.2.1

access-list xodia_56_cryptomap extended permit ip object-group INLINE_NETWORK_86 object-group somename

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

I have set up the connection using eth0 as 10.1.1.1, the link comes up but when I telnet across I am getting a ‘no route to host’ message

This is the relevant part of my config (it is pretty much a bare config apart from this (I’ve excluded the ike/esp as the tunnel comes up)

   nat-networks {
        allowed-network 10.110.120.0/24 {
        }
    }
    nat-traversal disable
    site-to-site {
        peer 2.2.2.2 {
            authentication {
                id 1.1.1.1
                mode pre-shared-secret
                pre-shared-secret ****************
                remote-id 2.2.2.2
            }
            connection-type initiate
            default-esp-group MuniBrokers
            description "MuniBrokers Gateway"
            ike-group MuniBrokers
            ikev2-reauth inherit
            local-address 10.1.1.1
            tunnel 1 {
                allow-nat-networks disable
                allow-public-networks enable
                esp-group MuniBrokers
                local {
                    prefix 10.1.1.1/32
                }
                remote {
                    prefix 3.3.3.3/32
                }
            }
        }