Ipsec VPN tunnel between 2 sites Dnat do not route over vpn

We have the following setup : vyos in datacenter with public IP, and vpn ipsec tunnel to company with checkpoint firewall.
In the company there is running a webserver.
100.100.100.100 (Public ip vyos) -> DNAT to 192.168.1.3 (traffic over vpn tunnel to company public ip 200.200.200.200) (https)

I can ping from the vyos to the company, the ipsec tunnel is up.
i can ping from the webserver 192.168.1.3 to then 172.20.10.50

But https to the webserver do not work. What is wrong?

interfaces {
    ethernet eth0 {
        address 100.100.100.100/25          public ip
    }
    ethernet eth2 {
        address 172.10.10.50/24               local ip
    }
    loopback lo {
    }
}
nat {
    destination {
        rule 500 {
            description DNAT to company webserver
            destination {
                port 443
            }
            inbound-interface eth0
            log
            protocol tcp
            translation {
                address 192.168.1.3
            }
        }
    }
    source {
        rule 6 {
            destination {
                address 192.168.1.0/24
            }
            exclude
            outbound-interface eth0
            source {
                address 172.10.10.0/24
            }
        }
        rule 10 {
            outbound-interface eth0
            source {
                address 172.10.10.0/24
            }
            translation {
                address masquerade
            }
        }
        rule 11 {
            outbound-interface eth0
            source {
                address 192.168.1.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 100.100.100.100 {
            }
        }
    }
}
service {
    dns {
        forwarding {
            allow-from 172.10.10.0/24
            listen-address 172.10.10.50
            name-server 8.8.8.8
            name-server 8.8.4.4
        }
    }
    ssh {
        port 22
    }
}
vpn {
    ipsec {
        esp-group ESP-1W {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes256
                hash sha1
            }
        }
        ike-group IKE-1W {
            close-action none
            dead-peer-detection {
                action restart
                interval 15
                timeout 30
            }
            ikev2-reauth no
            key-exchange ikev1
            lifetime 86400
            proposal 1 {
                dh-group 2
                encryption aes256
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        site-to-site {
            peer 200.200.200.200 {
                authentication {
                    id 100.100.100.100
                    mode pre-shared-secret
                    pre-shared-secret ****************
                    remote-id 200.200.200.200
                }
                connection-type initiate
                default-esp-group ESP-1W
                ike-group IKE-1W
                ikev2-reauth inherit
                local-address 100.100.100.100
                tunnel 0 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    local {
                        prefix 172.10.10.50/24
                    }
                    remote {
                        prefix 192.168.1.0/24
                    }
                }
            }
        }
    }
}

I think you need to use a routing-based tunnel and vti interface.
Because with tunnel0 it used policy-based, so your dnat rules don’t work.

Example of configuration

set interfaces dummy dum0 address '172.10.10.50/24'
set interfaces ethernet eth0 address '100.100.100.100/25'
set interfaces vti vti0 address '10.0.0.1/30'
set nat destination rule 500 description 'DNAT'
set nat destination rule 500 destination port '443'
set nat destination rule 500 inbound-interface 'eth0'
set nat destination rule 500 log
set nat destination rule 500 protocol 'tcp'
set nat destination rule 500 translation address '192.168.1.3'
set nat source rule 10 outbound-interface 'vti0'
set nat source rule 10 translation address 'masquerade'
set protocols static route 192.168.1.0/24 interface vti0
set protocols static route 200.200.200.0/24 next-hop 100.100.100.1
set vpn ipsec esp-group ESP-1W compression 'disable'
set vpn ipsec esp-group ESP-1W lifetime '3600'
set vpn ipsec esp-group ESP-1W mode 'tunnel'
set vpn ipsec esp-group ESP-1W pfs 'enable'
set vpn ipsec esp-group ESP-1W proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-1W proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-1W close-action 'none'
set vpn ipsec ike-group IKE-1W dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-1W dead-peer-detection interval '15'
set vpn ipsec ike-group IKE-1W dead-peer-detection timeout '30'
set vpn ipsec ike-group IKE-1W ikev2-reauth 'no'
set vpn ipsec ike-group IKE-1W key-exchange 'ikev1'
set vpn ipsec ike-group IKE-1W lifetime '86400'
set vpn ipsec ike-group IKE-1W proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-1W proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-1W proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 200.200.200.200 authentication id '100.100.100.100'
set vpn ipsec site-to-site peer 200.200.200.200 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 200.200.200.200 authentication pre-shared-secret 'fooBar'
set vpn ipsec site-to-site peer 200.200.200.200 authentication remote-id '200.200.200.200'
set vpn ipsec site-to-site peer 200.200.200.200 connection-type 'initiate'
set vpn ipsec site-to-site peer 200.200.200.200 default-esp-group 'ESP-1W'
set vpn ipsec site-to-site peer 200.200.200.200 ike-group 'IKE-1W'
set vpn ipsec site-to-site peer 200.200.200.200 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 200.200.200.200 local-address '100.100.100.100'
set vpn ipsec site-to-site peer 200.200.200.200 vti bind 'vti0'

Debug:

vyos@r1:~$ monitor traffic interface vti0 filter "-nt"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vti0, link-type RAW (Raw IP), capture size 262144 bytes
IP 10.0.0.1.49384 > 192.168.1.3.443: Flags [S], seq 665353972, win 64308, options [mss 1398,sackOK,TS val 3201809634 ecr 0,nop,wscale 6], length 0
IP 192.168.1.3.443 > 10.0.0.1.49384: Flags [S.], seq 350205899, ack 665353973, win 65160, options [mss 1460,sackOK,TS val 3138351898 ecr 3201809634,nop,wscale 6], length 0
IP 10.0.0.1.49384 > 192.168.1.3.443: Flags [.], ack 1, win 1005, options [nop,nop,TS val 3201809665 ecr 3138351898], length 0
IP 10.0.0.1.49384 > 192.168.1.3.443: Flags [P.], seq 1:40, ack 1, win 1005, options [nop,nop,TS val 3201809665 ecr 3138351898], length 39
IP 192.168.1.3.443 > 10.0.0.1.49384: Flags [.], ack 40, win 1018, options [nop,nop,TS val 3138351952 ecr 3201809665], length 0
IP 192.168.1.3.443 > 10.0.0.1.49384: Flags [P.], seq 1:42, ack 40, win 1018, options [nop,nop,TS val 3138351991 ecr 3201809665], length 41
IP 10.0.0.1.49384 > 192.168.1.3.443: Flags [.], ack 42, win 1005, options [nop,nop,TS val 3201809737 ecr 3138351991], length 0
IP 10.0.0.1.49384 > 192.168.1.3.443: Flags [.], seq 40:1426, ack 42, win 1005, options [nop,nop,TS val 3201809738 ecr 3138351991], length 1386

Hi,

I have change to vti

I connect from the internet with the brower to the public ip

monitor traffic interface vti0 filter “-nt”
IP 66.22.58.16.36356 > 192.168.1.3.443: Flags [S], seq 4127555360, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 66.22.58.16.36355 > 192.168.1.3.443: Flags [S], seq 3170883440, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

The source is the public IP of the client on the internet. i see the packet on the other site but the packet is send back from the webserver to the local internet provider

can i change the source address to the local one of the vios?

Check source nat rule 10 in my example
10.0.0.1 it’s IP address of vti0 interface
So remote site see packets from source 10.0.0.1 and reply to 10.0.0.1