I have an issue with NAT and VPN. I based my config on this article: NAT — VyOS 1.4.x (sagitta) documentation and I believe the VyOS side’s config is correct. I can ping and connect to a Remote Desktop server from a file server on the VyOS side, but the Remote Desktop server on the remote side cannot ping or connect back to the file server shares, etc.
We only need to communication between file server, 10.255.24.10 (local, NAT’d to real IP of 192.168.22.10) and remote desktop server, 10.121.122.149 (remote).
set interfaces dummy dum0 address 10.255.24.1/24
set interfaces dummy dum0 address 10.255.24.10/24
set nat destination rule 8000 source address 10.121.50.64/27
set nat destination rule 8000 destination address 10.255.24.10
set nat destination rule 8000 inbound-interface any
set nat destination rule 8000 translation address 192.168.22.10
set nat destination rule 8001 source address 10.121.50.96/27
set nat destination rule 8001 destination address 10.255.24.10
set nat destination rule 8001 inbound-interface any
set nat destination rule 8001 translation address 192.168.22.10
set nat destination rule 8002 source address 10.121.122.128/27
set nat destination rule 8002 destination address 10.255.24.10
set nat destination rule 8002 inbound-interface any
set nat destination rule 8002 translation address 192.168.22.10
set nat destination rule 8003 source address 10.121.122.160/27
set nat destination rule 8003 destination address 10.255.24.10
set nat destination rule 8003 inbound-interface any
set nat destination rule 8003 translation address 192.168.22.10
set nat source rule 8000 outbound-interface any
set nat source rule 8000 source address 192.168.22.10
set nat source rule 8000 destination address 10.121.50.64/27
set nat source rule 8000 translation address 10.255.24.10
set nat source rule 8001 outbound-interface any
set nat source rule 8001 source address 192.168.22.10
set nat source rule 8001 destination address 10.121.50.96/27
set nat source rule 8001 translation address 10.255.24.10
set nat source rule 8002 outbound-interface any
set nat source rule 8002 source address 192.168.22.10
set nat source rule 8002 destination address 10.121.122.128/27
set nat source rule 8002 translation address 10.255.24.10
set nat source rule 8003 outbound-interface any
set nat source rule 8003 source address 192.168.22.10
set nat source rule 8003 destination address 10.121.122.160/27
set nat source rule 8003 translation address 10.255.24.10
set nat source rule 9100 source address 192.168.22.0/24
set nat source rule 9100 outbound-interface eth0
set nat source rule 9100 translation address masquerade
set firewall group network-group RemoteSubnets network 10.121.50.64/27
set firewall group network-group RemoteSubnets network 10.121.50.96/27
set firewall group network-group RemoteSubnets network 10.121.122.128/27
set firewall group network-group RemoteSubnets network 10.121.122.160/27
set firewall group network-group LocalSubnets network 10.255.24.0/24
set firewall group network-group LocalSubnets network 192.168.22.0/24
set firewall name eth0_in rule 11 action accept
set firewall name eth0_in rule 11 source group network-group RemoteSubnets
set firewall name eth0_in rule 11 destination group network-group LocalSubnets
set vpn nat-traversal enable
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec ike-group IKE-AES256 proposal 1
set vpn ipsec ike-group IKE-AES256 proposal 1 encryption aes256
set vpn ipsec ike-group IKE-AES256 proposal 1 hash sha1
set vpn ipsec ike-group IKE-AES256 proposal 1 dh-group 5
set vpn ipsec ike-group IKE-AES256 lifetime 86400
set vpn ipsec esp-group ESP-AES256 proposal 1
set vpn ipsec esp-group ESP-AES256 proposal 1 encryption aes256
set vpn ipsec esp-group ESP-AES256 proposal 1 hash sha1
set vpn ipsec esp-group ESP-AES256 pfs disable
set vpn ipsec esp-group ESP-AES256 lifetime 86400
set vpn ipsec site-to-site peer 1.1.1.1 authentication mode pre-shared-secret
edit vpn ipsec site-to-site peer 1.1.1.1
set description Remote
set authentication pre-shared-secret xxxxx
set remote-id 2.2.2.2
set default-esp-group ESP-AES256
set ike-group IKE-AES256
set local-address 3.3.3.3
set tunnel 1 local prefix 10.255.24.0/24
set tunnel 1 remote prefix 10.121.50.64/27
set tunnel 2 local prefix 10.255.24.0/24
set tunnel 2 remote prefix 10.121.50.96/27
set tunnel 3 local prefix 10.255.24.0/24
set tunnel 3 remote prefix 10.121.122.128/27
set tunnel 4 local prefix 10.255.24.0/24
set tunnel 4 remote prefix 10.121.122.160/27 (edited)