Cannot access remote server port over vpn

i have a site to site IPSEC vpn tunnel between vyos 1.1.7 and meraki mx64.

i cannot access a remote server on port 443 from meraki side. i can ping the server no issues.

from what i understand the tunnel does not block any ports.

the remote server works locally on port 443 i tested.

Does anyone know why its not working ?

Vyos 1.1.7 is more than EOL :wink: Should use 1.2.0 and then ask for help :wink: However, sound like a firewall issue on your meraki-site. Sure there is nothing blocking access to port 443?

Check in the Firewall that any block rule was configured to access port 443.

here is the config hopefully someone can take a quick peek and let me know what is wrong

firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    group {
        address-group DNS {
            address 8.8.8.8
            address 8.8.4.4
            description "DNS servers"
        }
        address-group E-IPs {
            address 199.27.x.x
            description "E management IPs"
        }
        address-group VPN-Peers {
            address 66.244.x.x
            address 205.200.x.x
            description "VPN Peer IP Addresses"
        }
        address-group WAN-IPs {
            address x.x.x.x
            description "Local WAN IPs"
        }
        network-group LocalSubnets {
            description "Local subnets"
            network 10.113.3.0/24
            network 10.113.4.0/24
        }
        network-group VPN-RemoteSubnets {
            description "Remote VPN Subnets"
            network 192.168.18.0/23
            network 192.168.220.0/24
            network 192.168.20.0/24
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name DMZtoLAN {
        default-action drop
        rule 50 {
            action accept
            description "AD ports open to LAN"
            destination {
                group {
                    network-group LocalSubnets
                }
                port 135,445,53,1025-5000,49152-65535,464
            }
            protocol tcp_udp
            source {
                address 10.113.4.2
            }
        }
        rule 100 {
            action accept
            description "Allow UDP 88 Kerberos Auth"
            destination {
                group {
                    network-group LocalSubnets
                }
                port 88
            }
            protocol udp
            source {
                address 10.113.4.2
            }
        }
        rule 200 {
            action accept
            description "Allow GC lookup"
            destination {
                group {
                    network-group LocalSubnets
                }
                port 3268,3269
            }
            protocol tcp
            source {
                address 10.113.4.2
            }
        }
    }
    name DMZtoLocal {
        default-action accept
    }
    name DMZtoWAN {
        default-action drop
        rule 50 {
            action accept
            destination {
                port 80,443,53,21,22
            }
            protocol tcp_udp
        }
    }
    name LANtoDMZ {
        default-action accept
    }
    name LANtoLOCAL {
        default-action drop
        description "Ruleset for traffic travelling from LAN zone to LOCAL zone"
        rule 100 {
            action accept
            description "Allow ping from LAN"
            protocol icmp
            source {
                address 10.113.3.0/24
            }
        }
        rule 150 {
            action accept
            description "Allow Ping from DMZ"
            protocol icmp
            source {
                address 10.113.4.0/24
            }
        }
    }
    name LANtoWAN {
        default-action drop
        description "Ruleset for traffic travelling from LAN zone to WAN zone"
        rule 5000 {
            action accept
            description "Explicit allow all"
        }
    }
    name LOCALtoDMZ {
        default-action accept
    }
    name LOCALtoLAN {
        default-action drop
        description "Ruleset for traffic travelling from LOCAL zone to LAN zone"
        rule 5000 {
            action accept
            description "Explicit allow all"
        }
    }
    name LOCALtoWAN {
        default-action accept
        description "Ruleset for traffic travelling from LOCAL zone to WAN zone"
        rule 150 {
            action accept
            description "Allow DNS requests from VyOS"
            destination {
                group {
                    address-group DNS
                }
                port 53
            }
            protocol udp
            source {
                group {
                    address-group WAN-IPs
                }
            }
        }
        rule 200 {
            action accept
            description "Allow NTP requests from VyOS"
            destination {
                port 123
            }
            protocol udp
            source {
                group {
                    address-group WAN-IPs
                }
            }
        }
        rule 250 {
            action accept
            description "Allow ICMP requests from VyOS"
            protocol icmp
            source {
                group {
                    address-group WAN-IPs
                }
            }
        }
        rule 300 {
            action accept
            description "Allow ESP"
            destination {
                group {
                    address-group VPN-Peers
                }
            }
            protocol esp
            source {
                group {
                    address-group WAN-IPs
                }
            }
        }
        rule 350 {
            action accept
            description "Allow IKE"
            destination {
                group {
                    address-group VPN-Peers
                }
                port 500
            }
            protocol udp
            source {
                group {
                    address-group WAN-IPs
                }
            }
        }
    }
    name WANtoDMZ {
        default-action drop
        rule 50 {
            action accept
            destination {
                address 10.113.4.2
                port 80
            }
            protocol tcp
        }
        rule 100 {
            action accept
            destination {
                address 10.113.4.2
                port 443
            }
            protocol tcp
        }
    }
    name WANtoLAN {
        default-action drop
        description "Ruleset for traffic travelling from WAN zone to LAN zone"
        rule 150 {
            action accept
            destination {
                address 10.113.3.2
                port 1723
            }
            protocol tcp
            state {
                new enable
            }
        }
        rule 200 {
            action accept
            description "Allow local and remote subnets to communicate"
            destination {
                group {
                    network-group LocalSubnets
                }
            }
            source {
                group {
                    network-group VPN-RemoteSubnets
                }
            }
        }
        rule 250 {
            action accept
            destination {
                address 10.113.3.8
                port 443
            }
            protocol tcp
        }
        rule 255 {
            action accept
            destination {
                address 10.113.3.8
                port 21
            }
            protocol tcp
        }
    }
    name WANtoLOCAL {
        default-action drop
        description "Ruleset for traffic travelling from WAN zone to LOCAL zone"
        rule 100 {
            action accept
            description "Allow SSH from company"
            destination {
                group {
                    address-group WAN-IPs
                }
                port 22
            }
            protocol tcp
            source {
                group {
                    address-group company-IPs
                }
            }
        }
        rule 150 {
            action accept
            description "Allow ESP"
            destination {
                group {
                    address-group WAN-IPs
                }
            }
            protocol esp
            source {
                group {
                    address-group VPN-Peers
                }
            }
        }
        rule 200 {
            action accept
            description "Allow IKE"
            destination {
                group {
                    address-group WAN-IPs
                }
                port 500
            }
            protocol udp
            source {
                group {
                    address-group VPN-Peers
                }
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    state-policy {
        established {
            action accept
        }
        related {
            action accept
        }
    }
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    ethernet eth0 {
        address /31
        description WAN
        duplex auto
        hw-id 00:50:56:a0:ad:3a
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        address 10.113.3.1/24
        description LAN
        duplex auto
        hw-id 00:50:56:a0:96:20
        smp_affinity auto
        speed auto
    }
    ethernet eth2 {
        address 10.113.4.1/24
        description DMZ
        duplex auto
        hw-id 00:50:56:a0:63:66
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
}
nat {
    destination {
        rule 100 {
            description "Port Forward PPTP to 10.113.3.2"
            destination {
                port 1723
            }
            inbound-interface eth0
            protocol tcp
            translation {
                address 10.113.3.2
            }
        }
        rule 150 {
            destination {
                port 80
            }
            inbound-interface eth0
            protocol tcp
            translation {
                address 10.113.4.2
            }
        }
        rule 200 {
            description "Port forward HTTPS to 10.113.3.8"
            destination {
                port 443
            }
            inbound-interface eth0
            protocol tcp
            translation {
                address 10.113.3.8
            }
        }
        rule 250 {
            description "Port forward FTP to 10.113.3.8"
            destination {
                port 21
            }
            inbound-interface eth0
            protocol tcp
            translation {
                address 10.113.3.8
            }
        }
    }
    source {
        rule 10 {
            destination {
                address 192.168.18.0/23
            }
            exclude
            outbound-interface eth0
            source {
                address 10.113.3.0/24
            }
        }
        rule 15 {
            destination {
                address 192.168.220.0/24
            }
            exclude
            outbound-interface eth0
            source {
                address 10.113.3.0/24
            }
        }
        rule 20 {
            destination {
                address 192.168.20.0/24
            }
            exclude
            outbound-interface eth0
            source {
                address 10.113.3.0/24
            }
        }
        rule 100 {
            description "NAT Overload"
            outbound-interface eth0
            source {
                address 10.113.3.0/24
            }
            translation {
                address masquerade
            }
        }
        rule 150 {
            outbound-interface eth0
            source {
                address 10.113.4.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}
service {
    ssh {
        port 22
    }
}
system {
    config-management {
        commit-revisions 20
    }
    domain-name domain.ca
    gateway-address x.x.x.x
    host-name mbmuk-vr01
    login {
        user mbmadmin {
            authentication {
                encrypted-password ############
                plaintext-password ""
            }
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.pool.ntp.org {
        }
        server 1.pool.ntp.org {
        }
        server 2.pool.ntp.org {
        }
    }
    package {
        auto-sync 1
        repository community {
            components main
            distribution helium
            password ""
            url http://packages.vyos.net/vyos
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    ipsec {
        esp-group ESP-1W {
            compression disable
            lifetime 86400
            mode tunnel
            pfs disable
            proposal 1 {
                encryption aes256
                hash sha1
            }
        }
        ike-group IKE-1W {
            ikev2-reauth no
            key-exchange ikev1
            lifetime 86400
            proposal 1 {
                dh-group 2
                encryption aes256
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        site-to-site {
            peer x.x.x.x {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret #########
                }
                connection-type initiate
                default-esp-group ESP-1W
                ike-group IKE-1W
                ikev2-reauth inherit
                local-address x.x.x.x
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    local {
                        prefix 10.113.3.0/24
                    }
                    remote {
                        prefix 192.168.18.0/23
                    }
                }
                tunnel 2 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    local {
                        prefix 10.113.3.0/24
                    }
                    remote {
                        prefix 192.168.220.0/24
                    }
                }
            }
            peer x.x.x.x {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret #########
                }
                connection-type initiate
                default-esp-group ESP-1W
                ike-group IKE-1W
                ikev2-reauth inherit
                local-address x.x.x.x
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    local {
                        prefix 10.113.3.0/24
                    }
                    remote {
                        prefix 192.168.20.0/24
                    }
                }
            }
        }
    }
}
zone-policy {
    zone DMZ {
        default-action drop
        description "DMZ Zone"
        from LAN {
            firewall {
                name LANtoDMZ
            }
        }
        from LOCAL {
            firewall {
                name LOCALtoDMZ
            }
        }
        from WAN {
            firewall {
                name WANtoDMZ
            }
        }
        interface eth2
    }
    zone LAN {
        default-action drop
        description "LAN zone"
        from DMZ {
            firewall {
                name DMZtoLAN
            }
        }
        from LOCAL {
            firewall {
                name LOCALtoLAN
            }
        }
        from WAN {
            firewall {
                name WANtoLAN
            }
        }
        interface eth1
    }
    zone LOCAL {
        default-action drop
        description "Local zone"
        from LAN {
            firewall {
                name LANtoLOCAL
            }
        }
        from WAN {
            firewall {
                name WANtoLOCAL
            }
        }
        local-zone
    }
    zone WAN {
        default-action drop
        description "WAN zone"
        from DMZ {
            firewall {
                name DMZtoWAN
            }
        }
        from LAN {
            firewall {
                name LANtoWAN
            }
        }
        from LOCAL {
            firewall {
                name LOCALtoWAN
            }
        }
        interface eth0
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:config-management@1:conntrack-sync@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@4:qos@1:quagga@2:system@6:vrrp@1:wanloadbalance@3:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: VyOS 1.1.7 */