We have an ipsec tunnel setup between a VyOS 1.1.7 device and a Cisco ASA. The tunnel is up but we are unable to route traffic through it. We are using NAT-T and also have created a source/dest NAT to try and make internal traffic heading over the VPN appear as if it is from a public IP. There are no other VPNs on the device (it is only used for this VPN).
We cannot use VTI b/c Cisco ASA requires that what we send matches the subnets they have on their side.
If I take a tcpdump all I see the device ARPing for the IP. ARP, Request who-has 2.2.2.2? However I have a kernel route for that IP already so not sure why it isnt using that. I put what I think are the relevant parts of the config below. Anyone have any idea’s how I can route this traffic over the VPN?
sh ip route
K>* 2.2.2.2/32 is directly connected, eth1
tunnel 1 {
local {
prefix 1.1.1.1/32
}
remote {
prefix 2.2.2.2/32
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
destination {
rule 10 {
description "VPN Destination NAT"
destination {
address 10.0.0.1/32
}
inbound-interface any
translation {
address 2.2.2.2
}
}
}
source {
rule 10 {
description "VPN Source NAT"
outbound-interface any
source {
address 10.0.0.1/32
}
translation {
address 1.1.1.1
}
}
}