IPsec newb seeks help


#1

First, I don’t normally mess with VyOS myself, so I literally have to be hand-held. I’m in a quandary because our network administrator has gone AWOL.

The problem:
We have to connect to a client’s network via IPsec - this is working - but we only have two possible destinations on their end.

To visualize:
1.1.1.1 is one assigned address, and it alone may connect to 2.2.2.1.
1.1.1.2 is the other assigned address, and it alone may connect to 2.2.2.2.
1.1.1.3 is the local device that is used to establish the actual VPN connection over.
1.1.1.4 is the LAN device that leads to our 3.3.3.0/24 network.

The machines to be NATd are:
3.3.3.1 and 3.3.3.2 - though this part should be irrelevant, as we can simply reassign this via the NAT configuration. Is is provided for clarity in the rules below.

The idea is that traffic from 3.3.3.1 (NAT 1.1.1.1) and 3.3.3.2 (NAT 1.1.1.2) is routed over 1.1.1.3 to 2.2.2.1 and 2.2.2.2, respectively.

As we cannot use the specific IPs they wish for us to use, we’re using dummy devices with the above IPs, and then will use NAT.

dum0 is 1.1.1.1
dum1 is 1.1.1.2

Here is the relevant IPsec section:

site-to-site { peer 3.3.3.3 { authentication { mode pre-shared-secret pre-shared-secret SuperSecretKey } connection-type initiate ike-group office-srv-ike ikev2-reauth inherit local-address 1.1.1.3 tunnel 0 { allow-nat-networks disable allow-public-networks disable esp-group office-srv-esp local { prefix 1.1.1.1/32 } remote { prefix 2.2.2.1/32 } } tunnel 1 { allow-nat-networks disable allow-public-networks disable esp-group office-srv-esp local { prefix 1.1.1.2/32 } remote { prefix 2.2.2.2/32 } } }

As previously stated, both of these tunnels are up.

Here is the NAT configuration:

set nat source rule 110 description 'local to asp' set nat source rule 110 destination address '2.2.2.1/32' set nat source rule 110 outbound-interface 'any' set nat source rule 110 source address '3.3.3.1/32' set nat source rule 110 translation address '1.1.1.1' set nat source rule 120 description 'local to asp' set nat source rule 120 destination address '2.2.2.2/32' set nat source rule 120 outbound-interface 'any' set nat source rule 120 source address '3.3.3.2/32' set nat source rule 120 translation address '1.1.1.2'

The 1.1.1.0 network can see and communicate with the 3.3.30 network just fine. In spite of this, no traffic is flowing to the designated destination addresses.

What am I doing wrong here? Is it this: "allow-nat-networks disable"? If I try to allow/enable it, I get an error:
“VPN configuration error: The ‘remote-subnet’ has been specified while ‘allow-nat-networks’ has been enabled for peer”