I am trying to setup two VPNs, one to Google for 10.150.0.0/22 and the other to my home Ubiquity USG for 10.88.64.0/22. If I “show VPN lke sa” I see:
Peer ID / IP Local ID / IP
------------ -------------
35.245.110.63 204.89.189.2
State Encrypt Hash D-H Grp NAT-T A-Time L-Time
----- ------- ---- ------- ----- ------ ------
up aes256 sha1_96 14 no 1440 3600
Peer ID / IP Local ID / IP
------------ -------------
50.210.153.253 204.89.189.2
State Encrypt Hash D-H Grp NAT-T A-Time L-Time
----- ------- ---- ------- ----- ------ ------
up aes256 sha1_96 14 no 1860 3600
However, “show vpn ipsec sa” I only always see one VPN up, the interesting thing is, that when I restart whatever VPN connects first will come up. It’s like vyos will only allow one from 10.0.0.0/22 space.
Peer ID / IP Local ID / IP
------------ -------------
35.245.110.63 204.89.189.2
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
0 up 0.0/0.0 aes256 sha1_96 no 1500 1800 all
Peer ID / IP Local ID / IP
------------ -------------
50.210.153.253 204.89.189.2
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
0 down n/a n/a n/a no 0 1800 all
My 2nd problem is I am not able to route any traffic over either VPN, I think it has to do with NAT, but I am not sure how to fix it with my NAT config.
firewall {
name OUTSIDE-LOCAL {
}
}
interfaces {
bonding bond0 {
address 204.89.189.2/24
description "Public Internet"
hash-policy layer2
mode 802.3ad
vif 2 {
address 10.0.0.2/23
description "Vocinity Private"
vrrp {
vrrp-group 2 {
advertise-interval 1
preempt true
priority 200
sync-group lacp
virtual-address 10.0.0.1/23
}
}
}
vif 3 {
address 10.0.2.2/24
description "Vocinity Management"
vrrp {
vrrp-group 3 {
advertise-interval 1
preempt true
priority 200
sync-group lacp
virtual-address 10.0.2.1/24
}
}
}
vrrp {
vrrp-group 1 {
advertise-interval 1
preempt true
priority 200
sync-group lacp
virtual-address 204.89.189.1/24
}
}
}
ethernet eth0 {
bond-group bond0
duplex auto
hw-id 00:02:c9:0d:02:9e
smp_affinity auto
speed auto
}
ethernet eth1 {
bond-group bond0
duplex auto
hw-id 00:02:c9:0d:02:34
smp_affinity auto
speed auto
}
ethernet eth2 {
address 172.24.255.13/31
description "PhoenixNAP 10Gig"
duplex auto
hw-id 00:02:c9:0d:02:9f
smp_affinity auto
speed auto
}
ethernet eth3 {
duplex auto
hw-id 00:02:c9:0d:02:35
smp_affinity auto
speed auto
}
loopback lo {
}
}
nat {
source {
rule 10 {
outbound-interface eth2
protocol all
source {
address 10.0.0.0/22
}
translation {
address 204.89.189.2
}
}
rule 20 {
outbound-interface bond0
protocol all
source {
address 10.0.0.0/8
}
translation {
address 204.89.189.2
}
}
}
}
protocols {
bgp 398334 {
neighbor 172.24.255.12 {
password ****************
remote-as 64551
}
neighbor 204.89.189.3 {
remote-as 398334
}
network 204.89.189.0/24 {
}
network 204.117.64.0/24 {
}
}
static {
route 10.0.3.0/24 {
next-hop 10.0.0.9 {
distance 1
}
}
route 10.40.0.0/16 {
next-hop 10.0.0.200 {
distance 1
}
}
route 10.50.0.0/16 {
next-hop 10.0.0.201 {
distance 1
}
}
route 204.89.189.0/24 {
blackhole {
distance 254
}
}
route 204.117.64.0/24 {
blackhole {
distance 254
}
}
}
}
service {
snmp {
community vocinity {
client 10.0.0.32
}
}
ssh {
listen-address 10.0.0.2
listen-address 10.0.2.2
listen-address 204.89.189.2
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
flow-accounting {
buffer-size 256
interface eth2
syslog-facility daemon
}
host-name vyos
login {
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password ****************
url http://packages.vyos.net/vyos
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
vpn {
ipsec {
esp-group central-rtr-esp {
compression disable
lifetime 1800
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group central-rtr-ike {
ikev2-reauth no
key-exchange ikev2
lifetime 3600
proposal 1 {
dh-group 14
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface bond0
}
site-to-site {
peer 35.245.110.63 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
ike-group central-rtr-ike
local-address 204.89.189.2
tunnel 0 {
allow-nat-networks disable
allow-public-networks disable
esp-group central-rtr-esp
local {
prefix 10.0.0.0/22
}
remote {
prefix 10.150.0.0/22
}
}
}
peer 50.210.153.253 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
ike-group central-rtr-ike
local-address 204.89.189.2
tunnel 0 {
allow-nat-networks disable
allow-public-networks disable
esp-group central-rtr-esp
local {
prefix 10.0.0.0/22
}
remote {
prefix 10.88.64.0/22
}
}
}
}
}
}