Ipsec and nat with non-existent local ip

sinaowolabi · July 25, 2022, 9:36am

Hi!

i’m using VyOS 1.4-rolling-202204300743
ive setup an ipsec tunnel with an external host, using an ip as local prefix on the vyos side that doesnt exist/isnt attached to a machine.
the vyos is a ‘bridge’ that is used allow other vti-connected devices/networks, to connect to some remote destinations, through the ipsec tunnel that the vyos ‘bridge’ forms with external remote peers.
the vyos ‘bridge’ itself has currently no active lan devices connected to it, but it has configuration for such (it used to have).

the vyos ‘bridge’ external ip is 147.y.y.y, internal subnet is 10.10.0.0/16, of which local prefix is selected to be 10.10.0.9. (note 10.10.0.9 does not exist/is not attached to anything.)

the vpn external peer is 196.x.x.x and has a number of /32 remote prefixes which are grouped under 172.24.96.0/20 for ease of SNATing. the rule i have landed upon after lots of attempts to SNAT, is

set nat source rule 10 destination address '172.24.96.0/20'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '147.y.y.y'
set nat source rule 10 translation address '10.10.0.9'

tunnel is up, i can see what looks like traffic going through the tunnel, but no response from the other side (attempting nc to one of the remote prefixes):

peer_196-x-x-x_tunnel_0  up       38m9s     0B/1K           0B/22B            196.x.x.x     196.x.x.x  AES_CBC_256/HMAC_SHA1_96
peer_196-x-x-x_tunnel_1  up       38m8s     0B/           0B/0B             196.x.x.x     196.x.x.x  AES_CBC_256/HMAC_SHA1_96
peer_196-x-x-x_tunnel_2  up       38m8s     0B/0B           0B/0B             196.x.x.x     196.x.x.x  AES_CBC_256/HMAC_SHA1_96
peer_196-x-x-x_tunnel_3  up       38m8s     0B/0B           0B/0B             196.x.x.x     196.x.x.x  AES_CBC_256/HMAC_SHA1_96
peer_196-x-x-x_tunnel_4  up       38m8s     0B/0B           0B/0B             196.x.x.x     196.x.x.x  AES_CBC_256/HMAC_SHA1_96
peer_196-x-x-x_tunnel_5  up       38m8s     0B/0B           0B/0B             196.x.x.x     196.x.x.x  AES_CBC_256/HMAC_SHA1_96

and tcpdump on eth0 does not show SNAT for traffic coming from sources, to the destination ips subnet (172.24.96.0/20), it still shows the vyos ‘bridge’ external address:

# tcpdump -nn -i  eth0 net 172.24.96.0/20 or host 10.10.0.9
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
09:13:33.492522 IP 147.y.y.y.42436 > 172.24.98.155.10500: Flags [S], seq 302933062, win 29200, options [mss 1460,sackOK,TS val 1017169204 ecr 0,nop,wscale 7], length 0
09:13:34.511727 IP 147.y.y.y.42436 > 172.24.98.155.10500: Flags [S], seq 302933062, win 29200, options [mss 1460,sackOK,TS val 1017170223 ecr 0,nop,wscale 7], length 0
09:13:36.559555 IP 147.y.y.y.42436 > 172.24.98.155.10500: Flags [S], seq 302933062, win 29200, options [mss 1460,sackOK,TS val 1017172271 ecr 0,nop,wscale 7], length 0
09:13:40.591799 IP 147.y.y.y.42436 > 172.24.98.155.10500: Flags [S], seq 302933062, win 29200, options [mss 1460,sackOK,TS val 1017176303 ecr 0,nop,wscale 7], length 0
09:13:48.847607 IP 147.y.y.y.42436 > 172.24.98.155.10500: Flags [S], seq 302933062, win 29200, options [mss 1460,sackOK,TS val 1017184558 ecr 0,nop,wscale 7], length 0

how can i be sure that traffic is correctly being SNATed to 10.10.0.9? is my source rule sufficient? am i doing anything wrong?

n.fort · July 25, 2022, 10:52am

In order to know if nat rules are applied, you can enable log on desired rules.
You can also check counters in nftables nat rules: sudo nft list table ip nat

n.fort · July 25, 2022, 10:56am

And this example might be useful for you: NAT before VPN

sinaowolabi · July 25, 2022, 12:57pm

thanks, can i use 0.0.0.0/0 as source address? from the example document, i have now


set nat source rule 10 destination address '172.24.96.0/20'
set nat source rule 10 log
set nat source rule 10 outbound-interface 'any'
set nat source rule 10 source address '0.0.0.0/0'
set nat source rule 10 translation address '10.10.0.9'

and sudo nft list table ip nat shows:

table ip nat {
        chain PREROUTING {
                type nat hook prerouting priority dstnat; policy accept;
                counter packets 3 bytes 148 jump VYOS_PRE_DNAT_HOOK
                counter packets 3 bytes 148 dnat ip prefix to ip daddr map { 10.10.0.9 : 10.100.0.0/16 } comment "DST-NAT-10"
        }

        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                counter packets 15 bytes 997 jump VYOS_PRE_SNAT_HOOK
                ip saddr 0.0.0.0/0 ip daddr 172.24.96.0/20 counter packets 1 bytes 60 log prefix "[NAT-SRC-10]" comment "SRC-NAT-10"
                ip saddr 0.0.0.0/0 ip daddr 172.24.96.0/20 counter packets 1 bytes 60 snat to 10.10.0.9 comment "SRC-NAT-10"
        }

        chain VYOS_PRE_DNAT_HOOK {
                return
        }

        chain VYOS_PRE_SNAT_HOOK {
                return
        }
}

there is still traffic trying to leave the tunnel:

peer_196-x-x-x_tunnel_0  up       5m45s     0B/420B         0B/7B             196.x.x.x     196.x.x.x  AES_CBC_256/HMAC_SHA1_96
peer_196-x-x-x_tunnel_1  up       5m45s     0B/0B           0B/0B             196.x.x.x     196.x.x.x  AES_CBC_256/HMAC_SHA1_96
peer_196-x-x-x_tunnel_2  up       5m45s     0B/0B           0B/0B             196.x.x.x     196.x.x.x  AES_CBC_256/HMAC_SHA1_96
peer_196-x-x-x_tunnel_3  up       5m45s     0B/0B           0B/0B             196.x.x.x     196.x.x.x  AES_CBC_256/HMAC_SHA1_96
peer_196-x-x-x_tunnel_4  up       5m45s     0B/0B           0B/0B             196.x.x.x     196.x.x.x  AES_CBC_256/HMAC_SHA1_96
peer_196-x-x-x_tunnel_5  up       5m44s     0B/0B           0B/0B             196.x.x.x     196.x.x.x  AES_CBC_256/HMAC_SHA1_96

sinaowolabi · July 26, 2022, 11:22am

rules i ended up with (for each of the subnets i need SNATed):

set nat source rule 10 destination address '172.24.96.0/20'
set nat source rule 10 log
set nat source rule 10 outbound-interface 'any'
set nat source rule 10 source address '10.10.0.0/16'
set nat source rule 10 translation address '10.10.0.9'

set nat source rule 11 destination address '172.24.96.0/20'
set nat source rule 11 log
set nat source rule 11 outbound-interface 'any'
set nat source rule 11 source address '10.100.0.0/16'
set nat source rule 11 translation address '10.10.0.9'

set nat source rule 12 destination address '172.24.96.0/20'
set nat source rule 12 log
set nat source rule 12 outbound-interface 'any'
set nat source rule 12 source address '10.101.0.0/16'
set nat source rule 12 translation address '10.10.0.9'

I ran show nat translations and it looks positive:

Pre-NAT              Post-NAT             Prot  Timeout  
10.101.14.8:51378    10.10.0.9:51378      tcp   23       
10.101.14.8:51402    10.10.0.9:51402      tcp   41       
10.101.14.8:51358    10.10.0.9:51358      tcp   8        
10.101.14.8:51438    10.10.0.9:51438      tcp   68       
10.101.14.8:51444    10.10.0.9:51444      tcp   74

and i can see traffic being sent still but no replies, and nothing still shows up in tcpdump

Connection                    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID       Proposal
peer_196-x-x-x_tunnel_0   up       6m34s     0B/18K          0B/315B           196.x.x.x     196.x.x.x   AES_CBC_256/HMAC_SHA1_96
peer_196-x-x-x_tunnel_1   up       6m34s     0B/120B         0B/2B             196.x.x.x     196.x.x.x   AES_CBC_256/HMAC_SHA1_96
peer_196-x-x-x_tunnel_2   up       6m34s     0B/0B           0B/0B             196.x.x.x     196.x.x.x   AES_CBC_256/HMAC_SHA1_96

does this look ok?

sinaowolabi · July 26, 2022, 2:56pm

i guess its fine, they had a routing complication at the other end.
thank you all so much for helping out

system · August 2, 2022, 11:35am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.