DMVPN Spoke behind NAT not connecting

Hi All,

Am trying to setup a spoke behind a NAT router that handles the PPPOE authentication. The Hub does its own NAT and has public IP on the interface where the spoke has a 192.168.16.100/24 address. It seems that the spoke is able to setup the tunnel but breaks instantly. The spokes that has public IP on the WAN thus doesnt traverse NAT works without a problem…so am not sure what is going on. Here the following errors when doing ipsec debug:

VPN-IPSEC: 07[IKE] <dmvpn-NHRPVPN-tun0|52> initiating Main Mode IKE_SA dmvpn-NHRPVPN-tun0[52] to WAN_IP_HUB
VPN-IPSEC: 07[ENC] <dmvpn-NHRPVPN-tun0|52> generating ID_PROT request 0 [ SA V V V V V ]
VPN-IPSEC: 07[NET] <dmvpn-NHRPVPN-tun0|52> sending packet: from 192.168.16.100[500] to WAN_IP_HUB[500] (184 bytes)
VPN-IPSEC: 09[NET] <dmvpn-NHRPVPN-tun0|52> received packet: from WAN_IP_HUB[500] to 192.168.16.100[500] (164 bytes)
VPN-IPSEC: 09[ENC] <dmvpn-NHRPVPN-tun0|52> parsed ID_PROT response 0 [ SA V V V V ]
VPN-IPSEC: 09[IKE] <dmvpn-NHRPVPN-tun0|52> received XAuth vendor ID
VPN-IPSEC: 09[IKE] <dmvpn-NHRPVPN-tun0|52> received DPD vendor ID
VPN-IPSEC: 09[IKE] <dmvpn-NHRPVPN-tun0|52> received FRAGMENTATION vendor ID
VPN-IPSEC: 09[IKE] <dmvpn-NHRPVPN-tun0|52> received NAT-T (RFC 3947) vendor ID
VPN-IPSEC: 09[CFG] <dmvpn-NHRPVPN-tun0|52> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
VPN-IPSEC: 09[ENC] <dmvpn-NHRPVPN-tun0|52> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
VPN-IPSEC: 09[NET] <dmvpn-NHRPVPN-tun0|52> sending packet: from 192.168.16.100[500] to WAN_IP_HUB[500] (652 bytes)
VPN-IPSEC: 07[NET] <dmvpn-NHRPVPN-tun0|52> received packet: from WAN_IP_HUB[500] to 192.168.16.100[500] (652 bytes)
VPN-IPSEC: 07[ENC] <dmvpn-NHRPVPN-tun0|52> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
VPN-IPSEC: 07[IKE] <dmvpn-NHRPVPN-tun0|52> local host is behind NAT, sending keep alives
VPN-IPSEC: 07[ENC] <dmvpn-NHRPVPN-tun0|52> generating ID_PROT request 0 [ ID HASH ]
VPN-IPSEC: 07[NET] <dmvpn-NHRPVPN-tun0|52> sending packet: from 192.168.16.100[4500] to WAN_IP_HUB[4500] (92 bytes)
VPN-IPSEC: 16[NET] <dmvpn-NHRPVPN-tun0|52> received packet: from WAN_IP_HUB[4500] to 192.168.16.100[4500] (92 bytes)
VPN-IPSEC: 16[ENC] <dmvpn-NHRPVPN-tun0|52> parsed ID_PROT response 0 [ ID HASH ]
VPN-IPSEC: 16[IKE] <dmvpn-NHRPVPN-tun0|52> IKE_SA dmvpn-NHRPVPN-tun0[52] established between 192.168.16.100[192.168.16.100]…WAN_IP_HUB[WAN_IP_HUB]
VPN-IPSEC: 16[IKE] <dmvpn-NHRPVPN-tun0|52> scheduling rekeying in 78903s
VPN-IPSEC: 16[IKE] <dmvpn-NHRPVPN-tun0|52> maximum IKE_SA lifetime 87543s
VPN-IPSEC: 16[ENC] <dmvpn-NHRPVPN-tun0|52> generating QUICK_MODE request 419441650 [ HASH SA No KE ID ID ]
VPN-IPSEC: 16[NET] <dmvpn-NHRPVPN-tun0|52> sending packet: from 192.168.16.100[4500] to WAN_IP_HUB[4500] (700 bytes)
VPN-IPSEC: 07[NET] <dmvpn-NHRPVPN-tun0|52> received packet: from WAN_IP_HUB[4500] to 192.168.16.100[4500] (92 bytes)
VPN-IPSEC: 07[ENC] <dmvpn-NHRPVPN-tun0|52> parsed INFORMATIONAL_V1 request 3920800677 [ HASH N(INVAL_ID) ]
VPN-IPSEC: 07[IKE] <dmvpn-NHRPVPN-tun0|52> received INVALID_ID_INFORMATION error notify
VPN-IPSEC: 09[IKE] <dmvpn-NHRPVPN-tun0|55> sending keep alive to WAN_IP_HUB[4500]
VPN-IPSEC: 11[NET] <dmvpn-NHRPVPN-tun0|55> received packet: from WAN_IP_HUB[4500] to 192.168.16.100[4500] (108 bytes)

Hope someone is able to point me out to the right direction so i can makes this work.
All nodes running VyOS 1.3.0-rc6.

Thanks!

Hi @Arpanet69 ,
This is probably described here:
https://phabricator.vyos.net/T1186
Can you try UnicronNL solution?:

On the **HUB**, can you change in /etc/swanctl/swanctl.conf
remote_ts = dynamic[gre] to **remote_ts = 0.0.0.0/0[gre]**
than run **sudo swanctl -q** on the **HUB**
and try to connect again from the spoke.

Also as an idea, if HUB router has NAT 1to1, it is possible to use a dummy interface.
Part of this trick described here AWS L2TP/IPSec : VyOS Support Portal

On the **HUB**, can you change in /etc/swanctl/swanctl.conf
remote_ts = dynamic[gre] to **remote_ts = 0.0.0.0/0[gre]**
than run **sudo swanctl -q** on the **HUB**
and try to connect again from the spoke.

That didnt work for me … i will tshoot and gather more information.

@Dmitry The HUB carries a public ip no nat. Only the spoke is behind the pppoe / nat router (PAT overload).

Thanks

Hi @Arpanet69 did you configure ESP mode as tunnel or transport?
If you have spokes behind a NAT you should avoid tunnel mode and use transport instead

Hi @Dmitry Yeah i just changed it now i get the following error in #monitoring vpn ipsec:
no IKE config found for HUB_PUBLIC_IP…SPOKE_PUBLIC_IP, sending NO_PROPOSAL_CHOSEN.

Do i need to change transport on both the hub as the spoke?

Sure, you have to use transport mode everywhere on HUB and Spokes

@Dmitry I got it working for my natted Spokes! My non natted Spokes are able to build the tunnels but… am not able to ping the Hubs tunnel interface or the network behind the HUB anymore.

Hi, @Arpanet69 you have to check IPSec tunnels and NHRP info. Also try to check routes

Awesome thanks guys! The routes were fine which were very basic… I compared the NHRP between the spokes and the hubs and they were a bit off.

Ive got not stable tunnels between the natted spokes and the non natted spokes.

Cheers!

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.