i have a site to site IPSEC vpn tunnel between vyos 1.1.7 and meraki mx64.
i cannot access a remote server on port 443 from meraki side. i can ping the server no issues.
from what i understand the tunnel does not block any ports.
the remote server works locally on port 443 i tested.
Does anyone know why its not working ?
Vyos 1.1.7 is more than EOL Should use 1.2.0 and then ask for help However, sound like a firewall issue on your meraki-site. Sure there is nothing blocking access to port 443?
san
April 5, 2019, 6:02am
3
Check in the Firewall that any block rule was configured to access port 443.
here is the config hopefully someone can take a quick peek and let me know what is wrong
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
group {
address-group DNS {
address 8.8.8.8
address 8.8.4.4
description "DNS servers"
}
address-group E-IPs {
address 199.27.x.x
description "E management IPs"
}
address-group VPN-Peers {
address 66.244.x.x
address 205.200.x.x
description "VPN Peer IP Addresses"
}
address-group WAN-IPs {
address x.x.x.x
description "Local WAN IPs"
}
network-group LocalSubnets {
description "Local subnets"
network 10.113.3.0/24
network 10.113.4.0/24
}
network-group VPN-RemoteSubnets {
description "Remote VPN Subnets"
network 192.168.18.0/23
network 192.168.220.0/24
network 192.168.20.0/24
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name DMZtoLAN {
default-action drop
rule 50 {
action accept
description "AD ports open to LAN"
destination {
group {
network-group LocalSubnets
}
port 135,445,53,1025-5000,49152-65535,464
}
protocol tcp_udp
source {
address 10.113.4.2
}
}
rule 100 {
action accept
description "Allow UDP 88 Kerberos Auth"
destination {
group {
network-group LocalSubnets
}
port 88
}
protocol udp
source {
address 10.113.4.2
}
}
rule 200 {
action accept
description "Allow GC lookup"
destination {
group {
network-group LocalSubnets
}
port 3268,3269
}
protocol tcp
source {
address 10.113.4.2
}
}
}
name DMZtoLocal {
default-action accept
}
name DMZtoWAN {
default-action drop
rule 50 {
action accept
destination {
port 80,443,53,21,22
}
protocol tcp_udp
}
}
name LANtoDMZ {
default-action accept
}
name LANtoLOCAL {
default-action drop
description "Ruleset for traffic travelling from LAN zone to LOCAL zone"
rule 100 {
action accept
description "Allow ping from LAN"
protocol icmp
source {
address 10.113.3.0/24
}
}
rule 150 {
action accept
description "Allow Ping from DMZ"
protocol icmp
source {
address 10.113.4.0/24
}
}
}
name LANtoWAN {
default-action drop
description "Ruleset for traffic travelling from LAN zone to WAN zone"
rule 5000 {
action accept
description "Explicit allow all"
}
}
name LOCALtoDMZ {
default-action accept
}
name LOCALtoLAN {
default-action drop
description "Ruleset for traffic travelling from LOCAL zone to LAN zone"
rule 5000 {
action accept
description "Explicit allow all"
}
}
name LOCALtoWAN {
default-action accept
description "Ruleset for traffic travelling from LOCAL zone to WAN zone"
rule 150 {
action accept
description "Allow DNS requests from VyOS"
destination {
group {
address-group DNS
}
port 53
}
protocol udp
source {
group {
address-group WAN-IPs
}
}
}
rule 200 {
action accept
description "Allow NTP requests from VyOS"
destination {
port 123
}
protocol udp
source {
group {
address-group WAN-IPs
}
}
}
rule 250 {
action accept
description "Allow ICMP requests from VyOS"
protocol icmp
source {
group {
address-group WAN-IPs
}
}
}
rule 300 {
action accept
description "Allow ESP"
destination {
group {
address-group VPN-Peers
}
}
protocol esp
source {
group {
address-group WAN-IPs
}
}
}
rule 350 {
action accept
description "Allow IKE"
destination {
group {
address-group VPN-Peers
}
port 500
}
protocol udp
source {
group {
address-group WAN-IPs
}
}
}
}
name WANtoDMZ {
default-action drop
rule 50 {
action accept
destination {
address 10.113.4.2
port 80
}
protocol tcp
}
rule 100 {
action accept
destination {
address 10.113.4.2
port 443
}
protocol tcp
}
}
name WANtoLAN {
default-action drop
description "Ruleset for traffic travelling from WAN zone to LAN zone"
rule 150 {
action accept
destination {
address 10.113.3.2
port 1723
}
protocol tcp
state {
new enable
}
}
rule 200 {
action accept
description "Allow local and remote subnets to communicate"
destination {
group {
network-group LocalSubnets
}
}
source {
group {
network-group VPN-RemoteSubnets
}
}
}
rule 250 {
action accept
destination {
address 10.113.3.8
port 443
}
protocol tcp
}
rule 255 {
action accept
destination {
address 10.113.3.8
port 21
}
protocol tcp
}
}
name WANtoLOCAL {
default-action drop
description "Ruleset for traffic travelling from WAN zone to LOCAL zone"
rule 100 {
action accept
description "Allow SSH from company"
destination {
group {
address-group WAN-IPs
}
port 22
}
protocol tcp
source {
group {
address-group company-IPs
}
}
}
rule 150 {
action accept
description "Allow ESP"
destination {
group {
address-group WAN-IPs
}
}
protocol esp
source {
group {
address-group VPN-Peers
}
}
}
rule 200 {
action accept
description "Allow IKE"
destination {
group {
address-group WAN-IPs
}
port 500
}
protocol udp
source {
group {
address-group VPN-Peers
}
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
state-policy {
established {
action accept
}
related {
action accept
}
}
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
address /31
description WAN
duplex auto
hw-id 00:50:56:a0:ad:3a
smp_affinity auto
speed auto
}
ethernet eth1 {
address 10.113.3.1/24
description LAN
duplex auto
hw-id 00:50:56:a0:96:20
smp_affinity auto
speed auto
}
ethernet eth2 {
address 10.113.4.1/24
description DMZ
duplex auto
hw-id 00:50:56:a0:63:66
smp_affinity auto
speed auto
}
loopback lo {
}
}
nat {
destination {
rule 100 {
description "Port Forward PPTP to 10.113.3.2"
destination {
port 1723
}
inbound-interface eth0
protocol tcp
translation {
address 10.113.3.2
}
}
rule 150 {
destination {
port 80
}
inbound-interface eth0
protocol tcp
translation {
address 10.113.4.2
}
}
rule 200 {
description "Port forward HTTPS to 10.113.3.8"
destination {
port 443
}
inbound-interface eth0
protocol tcp
translation {
address 10.113.3.8
}
}
rule 250 {
description "Port forward FTP to 10.113.3.8"
destination {
port 21
}
inbound-interface eth0
protocol tcp
translation {
address 10.113.3.8
}
}
}
source {
rule 10 {
destination {
address 192.168.18.0/23
}
exclude
outbound-interface eth0
source {
address 10.113.3.0/24
}
}
rule 15 {
destination {
address 192.168.220.0/24
}
exclude
outbound-interface eth0
source {
address 10.113.3.0/24
}
}
rule 20 {
destination {
address 192.168.20.0/24
}
exclude
outbound-interface eth0
source {
address 10.113.3.0/24
}
}
rule 100 {
description "NAT Overload"
outbound-interface eth0
source {
address 10.113.3.0/24
}
translation {
address masquerade
}
}
rule 150 {
outbound-interface eth0
source {
address 10.113.4.0/24
}
translation {
address masquerade
}
}
}
}
service {
ssh {
port 22
}
}
system {
config-management {
commit-revisions 20
}
domain-name domain.ca
gateway-address x.x.x.x
host-name mbmuk-vr01
login {
user mbmadmin {
authentication {
encrypted-password ############
plaintext-password ""
}
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password ""
url http://packages.vyos.net/vyos
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
vpn {
ipsec {
esp-group ESP-1W {
compression disable
lifetime 86400
mode tunnel
pfs disable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group IKE-1W {
ikev2-reauth no
key-exchange ikev1
lifetime 86400
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
site-to-site {
peer x.x.x.x {
authentication {
mode pre-shared-secret
pre-shared-secret #########
}
connection-type initiate
default-esp-group ESP-1W
ike-group IKE-1W
ikev2-reauth inherit
local-address x.x.x.x
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 10.113.3.0/24
}
remote {
prefix 192.168.18.0/23
}
}
tunnel 2 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 10.113.3.0/24
}
remote {
prefix 192.168.220.0/24
}
}
}
peer x.x.x.x {
authentication {
mode pre-shared-secret
pre-shared-secret #########
}
connection-type initiate
default-esp-group ESP-1W
ike-group IKE-1W
ikev2-reauth inherit
local-address x.x.x.x
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 10.113.3.0/24
}
remote {
prefix 192.168.20.0/24
}
}
}
}
}
}
zone-policy {
zone DMZ {
default-action drop
description "DMZ Zone"
from LAN {
firewall {
name LANtoDMZ
}
}
from LOCAL {
firewall {
name LOCALtoDMZ
}
}
from WAN {
firewall {
name WANtoDMZ
}
}
interface eth2
}
zone LAN {
default-action drop
description "LAN zone"
from DMZ {
firewall {
name DMZtoLAN
}
}
from LOCAL {
firewall {
name LOCALtoLAN
}
}
from WAN {
firewall {
name WANtoLAN
}
}
interface eth1
}
zone LOCAL {
default-action drop
description "Local zone"
from LAN {
firewall {
name LANtoLOCAL
}
}
from WAN {
firewall {
name WANtoLOCAL
}
}
local-zone
}
zone WAN {
default-action drop
description "WAN zone"
from DMZ {
firewall {
name DMZtoWAN
}
}
from LAN {
firewall {
name LANtoWAN
}
}
from LOCAL {
firewall {
name LOCALtoWAN
}
}
interface eth0
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:config-management@1:conntrack-sync@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@4:qos@1:quagga@2:system@6:vrrp@1:wanloadbalance@3:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: VyOS 1.1.7 */