[attachment=148]
I’m new to VyOs, and more an infrastructure person than networking. However I am putting together the network in the picture
I have a vm on Azure that is Nat’d behind 1.1.1.1.
There is a Cisco ASA running IPSec at 2.2.2.2
through the tunnel, there is a web server at 3.3.3.3, I can only use 10.1.1.1 to access it.
On my end, there is a web app that needs to be connected to the web app.
So far I have managed to bring the VPN up, but I’m unable to get any traffic to flow through the tunnel.
I am unsure of the best approach for the subnet
My first approach was to use 10.1.1.0/24 on the subnet, with 10.1.1.1 on the nic with the intention of Nat’ing that address, however I couldn’t get any traffic to flow through the tunnel.
Secondly, I had a 192.168.0.0/24 / 192.168.0.1 on the nic, and put 10.1.1.1 on dum0 then used that to Nat. in this config I couldn’t bring the VPN up because it complained that local-address (of 10.1.1.1) wasn’t a local address.
I’m not sure if either of these are the best approach, or if I should be doing something completely different. I’m hoping someone can point me in the right direction.
Hi michaelb,
Welcome to VyOS! 
Im not clear on exactly what you are trying to do or how you have approached it. Can you provide the output of ‘show interfaces’ and ‘show ip route’ and the routing table of the Cisco router? (Feel free to sanitize the output before giving it) Depending on the type of tunnel you have created you may need to have routes in place to allow your web app to speak to your web-server. I’ve never used Azue so dont know what tunnel types the offer.
I have attached an image of what I think you are trying to do, on it I assume that your Web Server has an ip of 10.1.1.1 and you want to access it from the Web App?
In any case I would approach this by creating a 1-to-1 (IE. /30 tunnel) GRE tunnel (encrypted with IPSec) between the VyOS and your cisco device and use OSPF to announce network ranges between them. ( Static routes will also work )
Thank you for the reply jhendry
Unfortunately the Cisco is on a vendors network, and I have limited information about.
crypto map outside_map 56 match address xodia_56_cryptomap
crypto map outside_map 56 set pfs
crypto map outside_map 56 set peer 1.1.1.1
crypto map outside_map 56 set transform-set ESP-AES-256-SHA
crypto map outside_map 56 set nat-t-disable
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *****
network-object host 10.1.1.1
network-object host 10.1.2.1
access-list xodia_56_cryptomap extended permit ip object-group INLINE_NETWORK_86 object-group somename
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
I have set up the connection using eth0 as 10.1.1.1, the link comes up but when I telnet across I am getting a ‘no route to host’ message
This is the relevant part of my config (it is pretty much a bare config apart from this (I’ve excluded the ike/esp as the tunnel comes up)
nat-networks {
allowed-network 10.110.120.0/24 {
}
}
nat-traversal disable
site-to-site {
peer 2.2.2.2 {
authentication {
id 1.1.1.1
mode pre-shared-secret
pre-shared-secret ****************
remote-id 2.2.2.2
}
connection-type initiate
default-esp-group MuniBrokers
description "MuniBrokers Gateway"
ike-group MuniBrokers
ikev2-reauth inherit
local-address 10.1.1.1
tunnel 1 {
allow-nat-networks disable
allow-public-networks enable
esp-group MuniBrokers
local {
prefix 10.1.1.1/32
}
remote {
prefix 3.3.3.3/32
}
}
}