I have set up lots of VPNs before using OpenVPN and WireGuard, but I’ve only set up IPSEC once about 15 years ago on two NetGear routers.
It took me about 4 hours on the NetGear routers to figure it out the first time but I finally got it working.
I currently have a vendor that our company needs to connect with via IPSEC, they probably have some kind of Cisco ASA router is my guess.
I have either VyOS 1.2, 1.3, PfSense, or OpenWRT readily at my disposal.
I prefer VyOS and tried VyOS 1.3 IPSEC (and VyOS 1.2 as well with the same result).
We actually got the tunnel link up and going so we could ping the internal tunnel addresses but I haven’t not been able to get packets to flow PAST the router to the destination host on our network.
I assume I should be able to do NAT DESTINATION on the IPSEC tunnel endpoint on our side and have those packets forwarded on to the destination host???
However, when I set destination nat like the following, the packets never leave the VyOS router:
set interfaces dummy dum1 description “Local side VPN tunnel address”
set interfaces dummy dum1 address 172.16.29.1/28
set nat destination rule 100 description “NAT Tunnel endpoint to server”
set nat destination rule 100 destination address 172.16.29.1
set nat destination rule 100 inbound-interface eth2
set nat destination rule 100 protocol all
set nat destination rule 100 translation address 10.7.2.22
set vpn ipsec ipsec-interfaces interface eth2
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec site-to-site peer X.Y.Z.5 authentication id A.B.C.226
set vpn ipsec site-to-site peer X.Y.Z.5 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer X.Y.Z.5 authentication pre-shared-secret not-so-secret
set vpn ipsec site-to-site peer X.Y.Z.5 connection-type initiate
set vpn ipsec site-to-site peer X.Y.Z.5 default-esp-group vpn-esp
set vpn ipsec site-to-site peer X.Y.Z.5 ike-group vpn-ike
set vpn ipsec site-to-site peer X.Y.Z.5 ikev2-reauth inherit
set vpn ipsec site-to-site peer X.Y.Z.5 local-address A.B.C.226
set vpn ipsec site-to-site peer X.Y.Z.5 tunnel 0 local-prefix 172.16.29.0/28
set vpn ipsec site-to-site peer X.Y.Z.5 tunnel 0 protocol all
set vpn ipsec site-to-site peer X.Y.Z.5 tunnel 0 remote-prefix 10.222.24.191
I’ve left out the IPSEC phase 1 and phase 2 settings because I’m typing this all in manually and the actual link seems to be up and working.
I can ping 10.222.24.191 from the local router and the remote side can ping 172.16.29.1.
So how can I re-direct packets coming to 172.16.29.1 via the IPSEC tunnel to my server at 10.7.2.22?
I tried working on slightly different settings for a week and no go, no packets coming to 172.16.29.1 flow to 10.7.2.22 but I can ping 10.7.2.22 from the router so the routing is working.
There is no firewall, and no NAT other than the NAT to forward to the server.
How to get packets to be received via IPSEC as tunnel endpoing 172.16.29.1 but forward them to 10.7.2.22?
Any help, ideas, thoughts, RTFMs pointers (Read The Fine Manuals) would be greatly appreciated.
I’ve spent all week reading IPSEC information and trying to get it to work with slightly different configurations with no go.
Thanks for any help.