IPsec tunnel not routing

system · June 17, 2016, 5:26pm

We have an ipsec tunnel setup between a VyOS 1.1.7 device and a Cisco ASA. The tunnel is up but we are unable to route traffic through it. We are using NAT-T and also have created a source/dest NAT to try and make internal traffic heading over the VPN appear as if it is from a public IP. There are no other VPNs on the device (it is only used for this VPN).

We cannot use VTI b/c Cisco ASA requires that what we send matches the subnets they have on their side.

If I take a tcpdump all I see the device ARPing for the IP. ARP, Request who-has 2.2.2.2? However I have a kernel route for that IP already so not sure why it isnt using that. I put what I think are the relevant parts of the config below. Anyone have any idea’s how I can route this traffic over the VPN?

sh ip route
K>* 2.2.2.2/32 is directly connected, eth1


tunnel 1 {
    local {
        prefix 1.1.1.1/32
    }
    remote {
        prefix 2.2.2.2/32
    }

nat-networks {
       allowed-network 0.0.0.0/0 {
     }
 }
nat-traversal enable

destination {
     rule 10 {
         description "VPN Destination NAT"
         destination {
             address 10.0.0.1/32
         }
         inbound-interface any
         translation {
             address 2.2.2.2
         }
     }
 }
 source {
     rule 10 {
         description "VPN Source NAT"
         outbound-interface any
         source {
             address 10.0.0.1/32
         }
         translation {
             address 1.1.1.1
         }
     }
 }

16again · June 18, 2016, 8:24pm

Judging from VPN local/remote, 1.1.1.1 is VYOS local
so you need NAT rules changing 10.0.0.1 into 1.1.1.1 instead of 2.2.2.2

On the VPN you can do DNAT, but 1:1 NAT requires SNAT too, I doubt you’ll be able to do that

system · June 20, 2016, 12:02pm

Maybe I should have started with the goal. We’re trying to create a site-site VPN with a partner but use public IPs on both sites to mask the traffic so that we do not have to deal with overlapping networks. What is the best way to do that?

system · June 20, 2016, 5:12pm

Believe I figured this out. Not everything is working properly but I see traffic going through the tunnel. My Source NAT rule was wrong, instead of using the IP I have in the destination I needed the IP of the host on my network initiating the traffic. Now the destination and source are being translated and I see traffic going over the tunnel. I don’t receive any reply but I believe that issue is separate.