Hello everyone,
After a couple of days googling around and trying various modifications to my VyOS router, I’ve came to the conclusion that I cannot fix this alone.
So, SCENARIO:
-
VyOS router (2 interfaces),
1.1 connecting directly to internet via pppoe0 interface, which works fine
1.2 fixed local ip on the internal interface -
A static route was created on the internal to be able to reach the rest of the internal network, a /16 subnet. This works fine, as the router is reachable from every /24 included in the /16 rule.
protocols {
static {
route AA.BB.0.0/16 {
interface eth1 {
}
next-hop AA.BB.100.254 {
}
}
}
}
Mobile clients connecting via IKEv2 ipsec tunnel configured as per this: PKI and IPSec IKEv2 remote-access VPN (vyos.io).
Clients connect just fine and they have a pool of ip addresses from a different subnet then the internal /16.
NAT works over the PPPOE interface.
My problem is with having routed access (NOT NAT) via the internal interface. The next hop, XX.YY.100.254 is a the core switch in the network and all subnets to be routed to directly connected to it (layer 2 & 3 interfaces). Can anyone help ?
$ show configuration
interfaces {
ethernet eth0 {
hw-id 00:50:56:ad:b9:b9
}
ethernet eth1 {
address AA.BB.100.129/24
hw-id 00:50:56:ad:e4:99
ip {
}
}
loopback lo {
}
pppoe pppoe0 {
authentication {
password ****************
user XXXXXXXXXXXXXXXX
}
description “Internet”
mtu 1452
source-interface eth0
}
vti vti0 {
address XX.YY.98.254/24
}
}
nat {
source {
rule 10 {
destination {
address !AA.BB.0.0/16
}
outbound-interface pppoe0
source {
address XX.YY.98.0/24
}
translation {
address masquerade
}
}
}
}
pki {
ca CA_AUTHORITY_C3_root {
certificate MII
}
ca CA_AUTHORITY_C3_sign {
certificate MII
}
certificate VYOS.domain.tld {
certificate MII
private {
key ****************
}
}
}
protocols {
static {
route AA.BB.0.0/16 {
interface eth1 {
}
next-hop AA.BB.100.254 {
}
}
}
}
…
vpn {
ipsec {
esp-group ESP-RW {
lifetime 3600
pfs disable
proposal 10 {
encryption aes128gcm128
hash sha256
}
}
ike-group IKE-RW {
key-exchange ikev2
lifetime 7200
proposal 10 {
dh-group 14
encryption aes128gcm128
hash sha256
}
}
interface vti0
options {
interface vti0
virtual-ip
}
remote-access {
connection rw {
authentication {
local-id BATTERHOCK
local-users {
username USER1 {
password ****************
}
username USER2 {
password ****************
}
username USER3 {
password ****************
}
}
server-mode x509
x509 {
ca-certificate CA_AUTHORITY_C3_sign
certificate VYOS.domain.tld
}
}
esp-group ESP-RW
ike-group IKE-RW
pool ra-rw-ipv4
}
dhcp {
}
pool ra-rw-ipv4 {
name-server 8.8.8.8
prefix XX.YY.98.0/24
}
}
}
}