IPSec site to site VPN behind zone-based firewall


#1

Hello everyone!

I’m working on a project, and as part of my initial testing, I’ve setup a lap to create a site to site ipsec vpn. Here’s a glimpse of the setup:

WORKSTATION1 <-> VYOS1 <-> R99 <-> VYOS2 <-> WORKSTATION2

When I get everything configured with no firewall rules or zones on the Vyos boxes, the vpn establishes, and I can ping the remote workstation. Once I create the firewall rules and configure the zone policies, the vpn still connects (show vpn ipsec sa shows the vpn connected), but I’m no longer able to ping the remote workstation (workstations are running Windows 10, but the firewall has been disabled).

Here’s what I have for the firewall rules:
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name local-private {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
rule 100 {
action accept
description DNS
destination {
port 53
}
protocol udp
state {
new enable
}
}
rule 600 {
action accept
description NTP
destination {
port 123
}
protocol udp
state {
new enable
}
}
}
name local-public {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
rule 3 {
action accept
description “Internet Key Exchange”
destination {
address X.X.X.X
port 500
}
protocol udp
state {
new enable
}
}
rule 4 {
action accept
description “Encapsulating Security Payload”
protocol esp
state {
new enable
}
}
}
name private-local {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
rule 400 {
action accept
description PING
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
rule 900 {
action accept
description SSH
destination {
port 22
}
protocol tcp
state {
new enable
}
}
}
name private-public {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
rule 100 {
action accept
description DNS
destination {
port 53
}
protocol udp
state {
new enable
}
}
rule 200 {
action accept
description FTP
destination {
port 21
}
protocol tcp
state {
new enable
}
}
rule 300 {
action accept
description HTTP/HTTPS
destination {
port 80,443
}
protocol tcp
state {
new enable
}
}
rule 400 {
action accept
description PING
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
rule 600 {
action accept
description NTP
destination {
port 123
}
protocol udp
state {
new enable
}
}
}
name public-local {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
rule 3 {
action accept
description “Internet Key Exchange”
destination {
port 500
}
protocol udp
state {
new enable
}
}
rule 4 {
action accept
description “Encapsulating Security Payload”
protocol esp
state {
new enable
}
}
}
name public-private {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}

I’m pretty sure the issue is in here somewhere because the vpn does work without the firewall and zone policies.

Any help you can provide would be greatly appreciated.