Forwarding traffic between two different ipsec VPNs attached to a VyOS

Hi!

What I am doing is a little weird, but I hope not.
I have a VyOS instance that has IPsec tunnels, one with a Sophos firewall, and the other a pfsense.
VyOS has a vti ipsec between it and the pfsense device, so all the networks on the pfsense network is available to the vyOS.
vyOS will have a regular VPN with the Sophos, but I would like to include the pfsense subnets into the vyOS-Sophos VPN configuration.

I would like to include some hosts/subnets the vyOS can reach on the pfsense networks, into the host configuration of the IPsec VPN with the Sophos device, and route the traffic between the two tunnels, so the Sophos can reach the pfsense networks directly.

Is it possible to include the 10.10.0.0/25 (pfsense) network on a new VPN configuration with the Sophos device, and have the Sophos be able to reach these hosts?

If yes, can someone please help with kind of nat and/or firewall rules I will need?
I hope this is described properly.

Thanks in advance!

Hi, @sinaowolabi

So, as I understood, you want to unite VyOS, Sophos and PFSense in one network via IPSec without excluding any host?

Sorry for not being clear.
I want to be able to reach the networks hosted behind the PFsense, which is reachable from the VyOS (by VyOS-pfsense VTI VPN), from the Sophos, (by Sophos-VyOS Ipsec VPN).

I thought I can do this, by having the PFsense network subnet(s) as local prefix(es) on the VyOS-Sophos Ipsec VPN config, and somehow routing incoming requests from Sophos to PFsense network, through the VyOS-PFsense vti vpn.

Sophos ← IPSEC VPN → VyOS ← VTI VPN → PFSense (10.10.0.0/25, etc)

I hope this is clearer :slight_smile:

This is called VPN routing feature and should not be any issue. If not I have done with these other firewalls by SNATing the traffic behind egress interface. So in this case if you want access subnets behind sophos firewall and you have tunnel built with Sophos then SNAT the traffic behind sophos tunnel interface.

Try to stay away from NAT-ting, use routing instead.
On PFsense, add route for sophos network to vti tunnel
On Vyos, add extra tunnel under existing sophos peer , having pfsense-LAN as local , sophosLAN as remote. And make sure firewall rules allow this traffic, and NAT doesn’t kick in for
pfsense-LAN<–>sophosLAN traffic

Wow, sounds interesting.
The extra tunnel, is between VyOS and PFSense, correct? And does it have to be IPSec or can it be something else?
I’d been playing with NAT and it didnt work (or more likely I was doing rubbish)

Example to add 2nd tunnel to same peer, building upon kb article
https://support.vyos.io/en/kb/articles/ipsec-site-to-site-vpn-2

set site-to-site peer 192.51.100.2 authentication mode ‘pre-shared-secret’
set site-to-site peer 192.51.100.2 authentication pre-shared-secret ‘not-so-secret’
set site-to-site peer 192.51.100.2 ike-group ‘central-rtr-ike’
set site-to-site peer 192.51.100.2 local-address ‘203.0.113.2’
set site-to-site peer 192.51.100.2 tunnel 0 allow-nat-networks ‘disable’
set site-to-site peer 192.51.100.2 tunnel 0 allow-public-networks ‘disable’
set site-to-site peer 192.15.100.2 tunnel 0 esp-group ‘central-rtr-esp’
set site-to-site peer 192.51.100.2 tunnel 0 local prefix ‘10.1.1.0/24’
set site-to-site peer 192.51.100.2 tunnel 0 remote prefix ‘10.2.2.0/24’
#extra tunnel, same peer
set site-to-site peer 192.51.100.2 tunnel 1 allow-nat-networks ‘disable’
set site-to-site peer 192.51.100.2 tunnel 1 allow-public-networks ‘disable’
set site-to-site peer 192.15.100.2 tunnel 1 esp-group ‘central-rtr-esp’
set site-to-site peer 192.51.100.2 tunnel 1 local prefix ‘10.1.1.0/24’
set site-to-site peer 192.51.100.2 tunnel 1 remote prefix ‘10.3.3.0/24’

Thanks, but does the second tunnel need to be configured at the Sophos end as well?
Ive configured this but I am not even seeing traffic showing up on the tunnel.
I feel I should point out that the IP address configuration is a little unusual:
Sophos+VyOS vpn:

Sophos: peer and local prefix: A.A.A.A/32
VyOS: peer is B.B.B.B, local prefix is 10.10.0.9/32 (IP available at PFSense)

VyOS+PFsense VTI vpn:

VyOS: vti address: 172.16.106.1/30, peer: B.B.B.B
PFSense: vti address: 172.16.106.2/30, peer: C.C.C.C
routed subnets at PFSense: 10.10.0.0/25, 10.20.0.0/25, etc

My current VyOS configuration:

   site-to-site {
        peer A.A.A.A {
            authentication {
                id B.B.B.B
                mode pre-shared-secret
                pre-shared-secret ****************
                remote-id A.A.A.A
            }
            connection-type initiate
            ike-group sophos-ike
            ikev2-reauth inherit
            local-address B.B.B.B
            tunnel 0 {
                esp-group sophos-esp
                local {
                    prefix 10.10.0.9/32
                }
                remote {
                    prefix A.A.A.A/32
                }
            }
            tunnel 1 {
                allow-nat-networks disable
                allow-public-networks disable
                esp-group sophos-esp
                local {
                    prefix 10.10.0.9/32
                }
                remote {
                    prefix A.A.A.A/32
                }
            }
        }

Commands I ran:

set vpn ipsec site-to-site peer A.A.A.A authentication id ‘B.B.B.B’
set vpn ipsec site-to-site peer A.A.A.A authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer A.A.A.A authentication pre-shared-secret ‘****’
set vpn ipsec site-to-site peer A.A.A.A authentication remote-id ‘A.A.A.A’
set vpn ipsec site-to-site peer A.A.A.A connection-type ‘initiate’
set vpn ipsec site-to-site peer A.A.A.A ike-group ‘sophos-ike’
set vpn ipsec site-to-site peer A.A.A.A ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer A.A.A.A local-address ‘B.B.B.B’
set vpn ipsec site-to-site peer A.A.A.A tunnel 0 esp-group ‘sophos-esp’

set vpn ipsec site-to-site peer A.A.A.A tunnel 0 local prefix ‘10.10.0.9/32’
set vpn ipsec site-to-site peer A.A.A.A tunnel 0 remote prefix ‘A.A.A.A/32’
#extra tunnel
set vpn ipsec site-to-site peer A.A.A.A tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer A.A.A.A tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer A.A.A.A tunnel 1 esp-group ‘sophos-esp’
set vpn ipsec site-to-site peer A.A.A.A tunnel 1 local prefix ‘10.10.0.9/32’
set vpn ipsec site-to-site peer A.A.A.A tunnel 1 remote prefix ‘A.A.A.A/32’

run show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal


peer-C.C.C.C-vti up 4h40m48s 94K/94K 3K/3K C.C.C.C N/A AES_CBC_256/HMAC_SHA1_96/MODP_2048
peer-A.A.A.A-tunnel-0 up 42m22s 0B/0B 0/0 A.A.A.A N/A AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer-A.A.A.A-tunnel-1 up 42m22s 0B/0B 0/0 A.A.A.A N/A AES_CBC_128/HMAC_SHA1_96/MODP_1024

Hi Sinaowolabi,

Maybe , I think that Sophos supports vpn ipsec(route-base) Could you please check ? because it is already enabled between (vyos-pfsense ) using vty and static for the routing. So I believe that it simplifies your networking settings.

Hi thanks a lot,
I am investigating this, but I was hoping I could route or nat from the VyOS to the PFSense without needing to modify Sophos configuration.
I am trying to simulate for a third party/parties that will need to communicate using a regular IPSEC site to site, but need to reach IPs that are not ‘directly’ connected to the peer they are forming a tunnel with.
Maybe what I am trying to do is a little too exotic :slight_smile:

Indeed, 2nd tunnel needs to be added on sophos end too.
If you don’t want to, you needs NAT…which will become messy, especially if LAN clients behind sophos need to setup connections to PFSense LAN host. (needs port forward =dNAT)

Yes, I understand, but NAT seems easier (?) especially when dealing with third party that is unaware of one’s internal network complexities.

What do you think about adding a dummy interface to the VyOS that will nat to the destination address in the Sophos LAN?

What’s the idea behind the dummy interface? Packets won’t pass this interface, so you can’t attach NAT rules to it. For policy based ipsec VPN, NAT rules attach to WAN interface.

The dummy rule gives you an extra IP address, but neither sNAT nor dNAT requires used address to be present on the box itself

Hello @sinaowolabi

Can you create a simple network diagram and describe the issue in more detail?
Which version do you use?

show version

Can you attach an example of configuration? Of course, you can hide/strip all private information.
We need to understand steps how to reproduce the issue.

I am so sorry, I have taken so much of your time.
It works without issue now.
All I had to do was add a route to the Sophos host IP, on the PFSense vti, and set an exclude on NAT for the Sophos IP, on the VyOS.
I can now ping the PFsense host IP from the Sophos IP, through the VPN!
All I had to do was ping the Sophos IP from the PFsense IP, through the vti tunnel and they communicate.

VyOS version: VyOS 1.4-rolling-202106131819
Configuration (on VyOS) is below:

VPN:
set vpn ipsec ike-group sophos-ike dead-peer-detection action 'hold'
set vpn ipsec ike-group sophos-ike dead-peer-detection interval '30'
set vpn ipsec ike-group sophos-ike dead-peer-detection timeout '120'
set vpn ipsec ike-group sophos-ike ikev2-reauth 'no'
set vpn ipsec ike-group sophos-ike key-exchange 'ikev1'
set vpn ipsec ike-group sophos-ike lifetime '28800'
set vpn ipsec ike-group sophos-ike mobike 'disable'
set vpn ipsec ike-group sophos-ike proposal 1 dh-group '2'
set vpn ipsec ike-group sophos-ike proposal 1 encryption 'aes128'
set vpn ipsec ike-group sophos-ike proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer sophos-peer authentication id 'vyos-peer'
set vpn ipsec site-to-site peer sophos-peer authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer sophos-peer authentication pre-shared-secret ''
set vpn ipsec site-to-site peer sophos-peer authentication remote-id 'sophos-peer'
set vpn ipsec site-to-site peer sophos-peer connection-type 'initiate'
set vpn ipsec site-to-site peer sophos-peer ike-group 'sophos-ike'
set vpn ipsec site-to-site peer sophos-peer local-address 'vyos-peer'
set vpn ipsec site-to-site peer sophos-peer tunnel 0 esp-group 'sophos-esp'
set vpn ipsec site-to-site peer sophos-peer tunnel 0 local prefix 'pfsense-vti-ip(10.10.0.9)/32'
set vpn ipsec site-to-site peer sophos-peer tunnel 0 remote prefix 'sophos-peer/32'

NAT

set nat destination
set nat source rule 10 destination address 'sophos-peer/32'
set nat source rule 10 exclude
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '10.10.0.128/25'
set nat source rule 10 translation address 'masquerade'
set nat source rule 11 outbound-interface 'eth0'
set nat source rule 11 source address '10.20.0.128/25'
set nat source rule 11 translation address 'masquerade'
set nat source rule 12 outbound-interface 'eth0'
set nat source rule 12 source address '10.30.0.128/25'
set nat source rule 12 translation address 'masquerade'
set nat source rule 13 outbound-interface 'eth0'
set nat source rule 13 source address '10.20.0.128/25'
set nat source rule 13 translation address 'masquerade'
set nat source rule 14 outbound-interface 'eth0'
set nat source rule 14 source address '10.50.0.128/25'
set nat source rule 14 translation address 'masquerade'
set nat source rule 15 outbound-interface 'eth0'
set nat source rule 15 source address '10.12.0.128/25'
set nat source rule 15 translation address 'masquerade'

Basic diagram

My other question is, is it possible to have multiple excludes for the same NAT rule/set of IPs? Because I need to setup multiple VPNs that will connect to the VyOS, needing to reach that same host.

One prefix per rule. Also, you can use “NOT” prefix

!<x.x.x.x>    Match everything except the specified prefix

Can I have multiple rules per Source natted subnet? or exclude a group?

There is a task for groups T1877

Thanks everyone for all your assistance. Its greatly appreciated.