Cannot access remote server port over vpn


#1

i have a site to site IPSEC vpn tunnel between vyos 1.1.7 and meraki mx64.

i cannot access a remote server on port 443 from meraki side. i can ping the server no issues.

from what i understand the tunnel does not block any ports.

the remote server works locally on port 443 i tested.

Does anyone know why its not working ?


#2

Vyos 1.1.7 is more than EOL :wink: Should use 1.2.0 and then ask for help :wink: However, sound like a firewall issue on your meraki-site. Sure there is nothing blocking access to port 443?


#3

Check in the Firewall that any block rule was configured to access port 443.


#4

here is the config hopefully someone can take a quick peek and let me know what is wrong

firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    group {
        address-group DNS {
            address 8.8.8.8
            address 8.8.4.4
            description "DNS servers"
        }
        address-group E-IPs {
            address 199.27.x.x
            description "E management IPs"
        }
        address-group VPN-Peers {
            address 66.244.x.x
            address 205.200.x.x
            description "VPN Peer IP Addresses"
        }
        address-group WAN-IPs {
            address x.x.x.x
            description "Local WAN IPs"
        }
        network-group LocalSubnets {
            description "Local subnets"
            network 10.113.3.0/24
            network 10.113.4.0/24
        }
        network-group VPN-RemoteSubnets {
            description "Remote VPN Subnets"
            network 192.168.18.0/23
            network 192.168.220.0/24
            network 192.168.20.0/24
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name DMZtoLAN {
        default-action drop
        rule 50 {
            action accept
            description "AD ports open to LAN"
            destination {
                group {
                    network-group LocalSubnets
                }
                port 135,445,53,1025-5000,49152-65535,464
            }
            protocol tcp_udp
            source {
                address 10.113.4.2
            }
        }
        rule 100 {
            action accept
            description "Allow UDP 88 Kerberos Auth"
            destination {
                group {
                    network-group LocalSubnets
                }
                port 88
            }
            protocol udp
            source {
                address 10.113.4.2
            }
        }
        rule 200 {
            action accept
            description "Allow GC lookup"
            destination {
                group {
                    network-group LocalSubnets
                }
                port 3268,3269
            }
            protocol tcp
            source {
                address 10.113.4.2
            }
        }
    }
    name DMZtoLocal {
        default-action accept
    }
    name DMZtoWAN {
        default-action drop
        rule 50 {
            action accept
            destination {
                port 80,443,53,21,22
            }
            protocol tcp_udp
        }
    }
    name LANtoDMZ {
        default-action accept
    }
    name LANtoLOCAL {
        default-action drop
        description "Ruleset for traffic travelling from LAN zone to LOCAL zone"
        rule 100 {
            action accept
            description "Allow ping from LAN"
            protocol icmp
            source {
                address 10.113.3.0/24
            }
        }
        rule 150 {
            action accept
            description "Allow Ping from DMZ"
            protocol icmp
            source {
                address 10.113.4.0/24
            }
        }
    }
    name LANtoWAN {
        default-action drop
        description "Ruleset for traffic travelling from LAN zone to WAN zone"
        rule 5000 {
            action accept
            description "Explicit allow all"
        }
    }
    name LOCALtoDMZ {
        default-action accept
    }
    name LOCALtoLAN {
        default-action drop
        description "Ruleset for traffic travelling from LOCAL zone to LAN zone"
        rule 5000 {
            action accept
            description "Explicit allow all"
        }
    }
    name LOCALtoWAN {
        default-action accept
        description "Ruleset for traffic travelling from LOCAL zone to WAN zone"
        rule 150 {
            action accept
            description "Allow DNS requests from VyOS"
            destination {
                group {
                    address-group DNS
                }
                port 53
            }
            protocol udp
            source {
                group {
                    address-group WAN-IPs
                }
            }
        }
        rule 200 {
            action accept
            description "Allow NTP requests from VyOS"
            destination {
                port 123
            }
            protocol udp
            source {
                group {
                    address-group WAN-IPs
                }
            }
        }
        rule 250 {
            action accept
            description "Allow ICMP requests from VyOS"
            protocol icmp
            source {
                group {
                    address-group WAN-IPs
                }
            }
        }
        rule 300 {
            action accept
            description "Allow ESP"
            destination {
                group {
                    address-group VPN-Peers
                }
            }
            protocol esp
            source {
                group {
                    address-group WAN-IPs
                }
            }
        }
        rule 350 {
            action accept
            description "Allow IKE"
            destination {
                group {
                    address-group VPN-Peers
                }
                port 500
            }
            protocol udp
            source {
                group {
                    address-group WAN-IPs
                }
            }
        }
    }
    name WANtoDMZ {
        default-action drop
        rule 50 {
            action accept
            destination {
                address 10.113.4.2
                port 80
            }
            protocol tcp
        }
        rule 100 {
            action accept
            destination {
                address 10.113.4.2
                port 443
            }
            protocol tcp
        }
    }
    name WANtoLAN {
        default-action drop
        description "Ruleset for traffic travelling from WAN zone to LAN zone"
        rule 150 {
            action accept
            destination {
                address 10.113.3.2
                port 1723
            }
            protocol tcp
            state {
                new enable
            }
        }
        rule 200 {
            action accept
            description "Allow local and remote subnets to communicate"
            destination {
                group {
                    network-group LocalSubnets
                }
            }
            source {
                group {
                    network-group VPN-RemoteSubnets
                }
            }
        }
        rule 250 {
            action accept
            destination {
                address 10.113.3.8
                port 443
            }
            protocol tcp
        }
        rule 255 {
            action accept
            destination {
                address 10.113.3.8
                port 21
            }
            protocol tcp
        }
    }
    name WANtoLOCAL {
        default-action drop
        description "Ruleset for traffic travelling from WAN zone to LOCAL zone"
        rule 100 {
            action accept
            description "Allow SSH from company"
            destination {
                group {
                    address-group WAN-IPs
                }
                port 22
            }
            protocol tcp
            source {
                group {
                    address-group company-IPs
                }
            }
        }
        rule 150 {
            action accept
            description "Allow ESP"
            destination {
                group {
                    address-group WAN-IPs
                }
            }
            protocol esp
            source {
                group {
                    address-group VPN-Peers
                }
            }
        }
        rule 200 {
            action accept
            description "Allow IKE"
            destination {
                group {
                    address-group WAN-IPs
                }
                port 500
            }
            protocol udp
            source {
                group {
                    address-group VPN-Peers
                }
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    state-policy {
        established {
            action accept
        }
        related {
            action accept
        }
    }
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    ethernet eth0 {
        address /31
        description WAN
        duplex auto
        hw-id 00:50:56:a0:ad:3a
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        address 10.113.3.1/24
        description LAN
        duplex auto
        hw-id 00:50:56:a0:96:20
        smp_affinity auto
        speed auto
    }
    ethernet eth2 {
        address 10.113.4.1/24
        description DMZ
        duplex auto
        hw-id 00:50:56:a0:63:66
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
}
nat {
    destination {
        rule 100 {
            description "Port Forward PPTP to 10.113.3.2"
            destination {
                port 1723
            }
            inbound-interface eth0
            protocol tcp
            translation {
                address 10.113.3.2
            }
        }
        rule 150 {
            destination {
                port 80
            }
            inbound-interface eth0
            protocol tcp
            translation {
                address 10.113.4.2
            }
        }
        rule 200 {
            description "Port forward HTTPS to 10.113.3.8"
            destination {
                port 443
            }
            inbound-interface eth0
            protocol tcp
            translation {
                address 10.113.3.8
            }
        }
        rule 250 {
            description "Port forward FTP to 10.113.3.8"
            destination {
                port 21
            }
            inbound-interface eth0
            protocol tcp
            translation {
                address 10.113.3.8
            }
        }
    }
    source {
        rule 10 {
            destination {
                address 192.168.18.0/23
            }
            exclude
            outbound-interface eth0
            source {
                address 10.113.3.0/24
            }
        }
        rule 15 {
            destination {
                address 192.168.220.0/24
            }
            exclude
            outbound-interface eth0
            source {
                address 10.113.3.0/24
            }
        }
        rule 20 {
            destination {
                address 192.168.20.0/24
            }
            exclude
            outbound-interface eth0
            source {
                address 10.113.3.0/24
            }
        }
        rule 100 {
            description "NAT Overload"
            outbound-interface eth0
            source {
                address 10.113.3.0/24
            }
            translation {
                address masquerade
            }
        }
        rule 150 {
            outbound-interface eth0
            source {
                address 10.113.4.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}
service {
    ssh {
        port 22
    }
}
system {
    config-management {
        commit-revisions 20
    }
    domain-name domain.ca
    gateway-address x.x.x.x
    host-name mbmuk-vr01
    login {
        user mbmadmin {
            authentication {
                encrypted-password ############
                plaintext-password ""
            }
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.pool.ntp.org {
        }
        server 1.pool.ntp.org {
        }
        server 2.pool.ntp.org {
        }
    }
    package {
        auto-sync 1
        repository community {
            components main
            distribution helium
            password ""
            url http://packages.vyos.net/vyos
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    ipsec {
        esp-group ESP-1W {
            compression disable
            lifetime 86400
            mode tunnel
            pfs disable
            proposal 1 {
                encryption aes256
                hash sha1
            }
        }
        ike-group IKE-1W {
            ikev2-reauth no
            key-exchange ikev1
            lifetime 86400
            proposal 1 {
                dh-group 2
                encryption aes256
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        site-to-site {
            peer x.x.x.x {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret #########
                }
                connection-type initiate
                default-esp-group ESP-1W
                ike-group IKE-1W
                ikev2-reauth inherit
                local-address x.x.x.x
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    local {
                        prefix 10.113.3.0/24
                    }
                    remote {
                        prefix 192.168.18.0/23
                    }
                }
                tunnel 2 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    local {
                        prefix 10.113.3.0/24
                    }
                    remote {
                        prefix 192.168.220.0/24
                    }
                }
            }
            peer x.x.x.x {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret #########
                }
                connection-type initiate
                default-esp-group ESP-1W
                ike-group IKE-1W
                ikev2-reauth inherit
                local-address x.x.x.x
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    local {
                        prefix 10.113.3.0/24
                    }
                    remote {
                        prefix 192.168.20.0/24
                    }
                }
            }
        }
    }
}
zone-policy {
    zone DMZ {
        default-action drop
        description "DMZ Zone"
        from LAN {
            firewall {
                name LANtoDMZ
            }
        }
        from LOCAL {
            firewall {
                name LOCALtoDMZ
            }
        }
        from WAN {
            firewall {
                name WANtoDMZ
            }
        }
        interface eth2
    }
    zone LAN {
        default-action drop
        description "LAN zone"
        from DMZ {
            firewall {
                name DMZtoLAN
            }
        }
        from LOCAL {
            firewall {
                name LOCALtoLAN
            }
        }
        from WAN {
            firewall {
                name WANtoLAN
            }
        }
        interface eth1
    }
    zone LOCAL {
        default-action drop
        description "Local zone"
        from LAN {
            firewall {
                name LANtoLOCAL
            }
        }
        from WAN {
            firewall {
                name WANtoLOCAL
            }
        }
        local-zone
    }
    zone WAN {
        default-action drop
        description "WAN zone"
        from DMZ {
            firewall {
                name DMZtoWAN
            }
        }
        from LAN {
            firewall {
                name LANtoWAN
            }
        }
        from LOCAL {
            firewall {
                name LOCALtoWAN
            }
        }
        interface eth0
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:config-management@1:conntrack-sync@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@4:qos@1:quagga@2:system@6:vrrp@1:wanloadbalance@3:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: VyOS 1.1.7 */