Ipsec VPN tunnel between 2 sites Dnat do not route over vpn

maverh · February 27, 2021, 10:08pm

We have the following setup : vyos in datacenter with public IP, and vpn ipsec tunnel to company with checkpoint firewall.
In the company there is running a webserver.
100.100.100.100 (Public ip vyos) → DNAT to 192.168.1.3 (traffic over vpn tunnel to company public ip 200.200.200.200) (https)

I can ping from the vyos to the company, the ipsec tunnel is up.
i can ping from the webserver 192.168.1.3 to then 172.20.10.50

But https to the webserver do not work. What is wrong?

interfaces {
    ethernet eth0 {
        address 100.100.100.100/25          public ip
    }
    ethernet eth2 {
        address 172.10.10.50/24               local ip
    }
    loopback lo {
    }
}
nat {
    destination {
        rule 500 {
            description DNAT to company webserver
            destination {
                port 443
            }
            inbound-interface eth0
            log
            protocol tcp
            translation {
                address 192.168.1.3
            }
        }
    }
    source {
        rule 6 {
            destination {
                address 192.168.1.0/24
            }
            exclude
            outbound-interface eth0
            source {
                address 172.10.10.0/24
            }
        }
        rule 10 {
            outbound-interface eth0
            source {
                address 172.10.10.0/24
            }
            translation {
                address masquerade
            }
        }
        rule 11 {
            outbound-interface eth0
            source {
                address 192.168.1.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 100.100.100.100 {
            }
        }
    }
}
service {
    dns {
        forwarding {
            allow-from 172.10.10.0/24
            listen-address 172.10.10.50
            name-server 8.8.8.8
            name-server 8.8.4.4
        }
    }
    ssh {
        port 22
    }
}
vpn {
    ipsec {
        esp-group ESP-1W {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes256
                hash sha1
            }
        }
        ike-group IKE-1W {
            close-action none
            dead-peer-detection {
                action restart
                interval 15
                timeout 30
            }
            ikev2-reauth no
            key-exchange ikev1
            lifetime 86400
            proposal 1 {
                dh-group 2
                encryption aes256
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        site-to-site {
            peer 200.200.200.200 {
                authentication {
                    id 100.100.100.100
                    mode pre-shared-secret
                    pre-shared-secret ****************
                    remote-id 200.200.200.200
                }
                connection-type initiate
                default-esp-group ESP-1W
                ike-group IKE-1W
                ikev2-reauth inherit
                local-address 100.100.100.100
                tunnel 0 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    local {
                        prefix 172.10.10.50/24
                    }
                    remote {
                        prefix 192.168.1.0/24
                    }
                }
            }
        }
    }
}

Viacheslav · February 28, 2021, 11:49pm

I think you need to use a routing-based tunnel and vti interface.
Because with tunnel0 it used policy-based, so your dnat rules don’t work.

Example of configuration

set interfaces dummy dum0 address '172.10.10.50/24'
set interfaces ethernet eth0 address '100.100.100.100/25'
set interfaces vti vti0 address '10.0.0.1/30'
set nat destination rule 500 description 'DNAT'
set nat destination rule 500 destination port '443'
set nat destination rule 500 inbound-interface 'eth0'
set nat destination rule 500 log
set nat destination rule 500 protocol 'tcp'
set nat destination rule 500 translation address '192.168.1.3'
set nat source rule 10 outbound-interface 'vti0'
set nat source rule 10 translation address 'masquerade'
set protocols static route 192.168.1.0/24 interface vti0
set protocols static route 200.200.200.0/24 next-hop 100.100.100.1
set vpn ipsec esp-group ESP-1W compression 'disable'
set vpn ipsec esp-group ESP-1W lifetime '3600'
set vpn ipsec esp-group ESP-1W mode 'tunnel'
set vpn ipsec esp-group ESP-1W pfs 'enable'
set vpn ipsec esp-group ESP-1W proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-1W proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-1W close-action 'none'
set vpn ipsec ike-group IKE-1W dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-1W dead-peer-detection interval '15'
set vpn ipsec ike-group IKE-1W dead-peer-detection timeout '30'
set vpn ipsec ike-group IKE-1W ikev2-reauth 'no'
set vpn ipsec ike-group IKE-1W key-exchange 'ikev1'
set vpn ipsec ike-group IKE-1W lifetime '86400'
set vpn ipsec ike-group IKE-1W proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-1W proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-1W proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 200.200.200.200 authentication id '100.100.100.100'
set vpn ipsec site-to-site peer 200.200.200.200 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 200.200.200.200 authentication pre-shared-secret 'fooBar'
set vpn ipsec site-to-site peer 200.200.200.200 authentication remote-id '200.200.200.200'
set vpn ipsec site-to-site peer 200.200.200.200 connection-type 'initiate'
set vpn ipsec site-to-site peer 200.200.200.200 default-esp-group 'ESP-1W'
set vpn ipsec site-to-site peer 200.200.200.200 ike-group 'IKE-1W'
set vpn ipsec site-to-site peer 200.200.200.200 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 200.200.200.200 local-address '100.100.100.100'
set vpn ipsec site-to-site peer 200.200.200.200 vti bind 'vti0'

Debug:

vyos@r1:~$ monitor traffic interface vti0 filter "-nt"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vti0, link-type RAW (Raw IP), capture size 262144 bytes
IP 10.0.0.1.49384 > 192.168.1.3.443: Flags [S], seq 665353972, win 64308, options [mss 1398,sackOK,TS val 3201809634 ecr 0,nop,wscale 6], length 0
IP 192.168.1.3.443 > 10.0.0.1.49384: Flags [S.], seq 350205899, ack 665353973, win 65160, options [mss 1460,sackOK,TS val 3138351898 ecr 3201809634,nop,wscale 6], length 0
IP 10.0.0.1.49384 > 192.168.1.3.443: Flags [.], ack 1, win 1005, options [nop,nop,TS val 3201809665 ecr 3138351898], length 0
IP 10.0.0.1.49384 > 192.168.1.3.443: Flags [P.], seq 1:40, ack 1, win 1005, options [nop,nop,TS val 3201809665 ecr 3138351898], length 39
IP 192.168.1.3.443 > 10.0.0.1.49384: Flags [.], ack 40, win 1018, options [nop,nop,TS val 3138351952 ecr 3201809665], length 0
IP 192.168.1.3.443 > 10.0.0.1.49384: Flags [P.], seq 1:42, ack 40, win 1018, options [nop,nop,TS val 3138351991 ecr 3201809665], length 41
IP 10.0.0.1.49384 > 192.168.1.3.443: Flags [.], ack 42, win 1005, options [nop,nop,TS val 3201809737 ecr 3138351991], length 0
IP 10.0.0.1.49384 > 192.168.1.3.443: Flags [.], seq 40:1426, ack 42, win 1005, options [nop,nop,TS val 3201809738 ecr 3138351991], length 1386

maverh · March 1, 2021, 10:15am

Hi,

I have change to vti

I connect from the internet with the brower to the public ip

monitor traffic interface vti0 filter “-nt”
IP 66.22.58.16.36356 > 192.168.1.3.443: Flags [S], seq 4127555360, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
IP 66.22.58.16.36355 > 192.168.1.3.443: Flags [S], seq 3170883440, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

The source is the public IP of the client on the internet. i see the packet on the other site but the packet is send back from the webserver to the local internet provider

can i change the source address to the local one of the vios?

Viacheslav · March 1, 2021, 10:45am

Check source nat rule 10 in my example
10.0.0.1 it’s IP address of vti0 interface
So remote site see packets from source 10.0.0.1 and reply to 10.0.0.1