Issue with NAT and VPN

vpn

#1

I have an issue with NAT and VPN. I based my config on this article: https://wiki.vyos.net/wiki/NAT_Before_VPN and I believe the VyOS side’s config is correct. I can ping and connect to a Remote Desktop server from a file server on the VyOS side, but the Remote Desktop server on the remote side cannot ping or connect back to the file server shares, etc.

We only need to communication between file server, 10.255.24.10 (local, NAT’d to real IP of 192.168.22.10) and remote desktop server, 10.121.122.149 (remote).

set interfaces dummy dum0 address 10.255.24.1/24
set interfaces dummy dum0 address 10.255.24.10/24

set nat destination rule 8000 source address 10.121.50.64/27
set nat destination rule 8000 destination address 10.255.24.10
set nat destination rule 8000 inbound-interface any
set nat destination rule 8000 translation address 192.168.22.10

set nat destination rule 8001 source address 10.121.50.96/27
set nat destination rule 8001 destination address 10.255.24.10
set nat destination rule 8001 inbound-interface any
set nat destination rule 8001 translation address 192.168.22.10

set nat destination rule 8002 source address 10.121.122.128/27
set nat destination rule 8002 destination address 10.255.24.10
set nat destination rule 8002 inbound-interface any
set nat destination rule 8002 translation address 192.168.22.10

set nat destination rule 8003 source address 10.121.122.160/27
set nat destination rule 8003 destination address 10.255.24.10
set nat destination rule 8003 inbound-interface any
set nat destination rule 8003 translation address 192.168.22.10

set nat source rule 8000 outbound-interface any
set nat source rule 8000 source address 192.168.22.10
set nat source rule 8000 destination address 10.121.50.64/27
set nat source rule 8000 translation address 10.255.24.10

set nat source rule 8001 outbound-interface any
set nat source rule 8001 source address 192.168.22.10
set nat source rule 8001 destination address 10.121.50.96/27
set nat source rule 8001 translation address 10.255.24.10

set nat source rule 8002 outbound-interface any
set nat source rule 8002 source address 192.168.22.10
set nat source rule 8002 destination address 10.121.122.128/27
set nat source rule 8002 translation address 10.255.24.10

set nat source rule 8003 outbound-interface any
set nat source rule 8003 source address 192.168.22.10
set nat source rule 8003 destination address 10.121.122.160/27
set nat source rule 8003 translation address 10.255.24.10

set nat source rule 9100 source address 192.168.22.0/24
set nat source rule 9100 outbound-interface eth0
set nat source rule 9100 translation address masquerade

set firewall group network-group RemoteSubnets network 10.121.50.64/27
set firewall group network-group RemoteSubnets network 10.121.50.96/27
set firewall group network-group RemoteSubnets network 10.121.122.128/27
set firewall group network-group RemoteSubnets network 10.121.122.160/27

set firewall group network-group LocalSubnets network 10.255.24.0/24
set firewall group network-group LocalSubnets network 192.168.22.0/24

set firewall name eth0_in rule 11 action accept
set firewall name eth0_in rule 11 source group network-group RemoteSubnets
set firewall name eth0_in rule 11 destination group network-group LocalSubnets

set vpn nat-traversal enable

set vpn ipsec ipsec-interfaces interface eth0

set vpn ipsec ike-group IKE-AES256 proposal 1
set vpn ipsec ike-group IKE-AES256 proposal 1 encryption aes256
set vpn ipsec ike-group IKE-AES256 proposal 1 hash sha1
set vpn ipsec ike-group IKE-AES256 proposal 1 dh-group 5
set vpn ipsec ike-group IKE-AES256 lifetime 86400

set vpn ipsec esp-group ESP-AES256 proposal 1
set vpn ipsec esp-group ESP-AES256 proposal 1 encryption aes256
set vpn ipsec esp-group ESP-AES256 proposal 1 hash sha1
set vpn ipsec esp-group ESP-AES256 pfs disable
set vpn ipsec esp-group ESP-AES256 lifetime 86400

set vpn ipsec site-to-site peer 1.1.1.1 authentication mode pre-shared-secret
edit vpn ipsec site-to-site peer 1.1.1.1
set description Remote
set authentication pre-shared-secret xxxxx
set remote-id 2.2.2.2
set default-esp-group ESP-AES256
set ike-group IKE-AES256
set local-address 3.3.3.3
set tunnel 1 local prefix 10.255.24.0/24
set tunnel 1 remote prefix 10.121.50.64/27

set tunnel 2 local prefix 10.255.24.0/24
set tunnel 2 remote prefix 10.121.50.96/27

set tunnel 3 local prefix 10.255.24.0/24
set tunnel 3 remote prefix 10.121.122.128/27

set tunnel 4 local prefix 10.255.24.0/24
set tunnel 4 remote prefix 10.121.122.160/27 (edited)


#2

How are you trying to access the file share? Browsing usually requires some kind of L2 VPN, which isn’t what you are doing. You should be able to access it directly by \IP\ or \IP\Share though


#3

Typical way for Windows fie shares, using \\10.255.24.10, but it just hangs and then fails.


#4

Are you also using VyOS on the remote side as well? Connecitivity seems to be in place, basically, from your ability to RDP into the “RDP Server” on the remote side (From your file server), but you can’t browse network shares on said file server from the remote side, what can you do from the remote side? Can you ping that file server from the remote side? Any other servers in the same subnet as that file server that you could test?


#5

Have you applied that to the eth0 interface?


#6

It is not a VyOS on the remote side. Cannot ping from the remote RDP server to the local file server either. There aren’t any other servers that the remote side needs to connect to, and I believe they have access lists in place to allow access only to a given set of ports on the file server, and ICMP as they are supposed to be able to ping to the local side as well.

This should be easier than it has been since we are just moving the file server to a new network, and the remote side already had a similarly configured VPN to the previous site for the file server. We’ve compared the VyOS VPN config to the VPN config at the previous site and they are very similar, with some exceptions, such as different subnets and a request from the remote side to use a 1-to-1 NAT instead of using a /24 to /24 NAT as was used previously. But both configs on both sides should be based on previous successfully working configs

Yes, I have applied the eth0_in access list to the eth0 interface. We do have 2 other VPNs successfully setup on the local VyOS, but they do not need to use NAT as with this VPN. Similar rules are setup for those VPNs in the same eth0_in access list.


#7

Can you attempt to access resources on the file server from the RDP side again, run some ICMP, etc. While doing this, on your side, take a look at the nat translations and provide that.


#8

Below are translations when trying to connect from the local file server to the remote server:

vyos@router01:~$ show nat destination translations
Pre-NAT Post-NAT Prot Timeout
10.121.122.149 10.121.122.149 icmp 29

vyos@router01:~$ show nat source translations
Pre-NAT Post-NAT Prot Timeout
192.168.22.10 10.255.24.10 tcp 431989
192.168.22.10 10.255.24.10 icmp 29


#9

Below are translations when trying to connect from the remote server to the local file server:

vyos@router01:~$ show nat destination translations
Pre-NAT Post-NAT Prot Timeout

vyos@router01:~$ show nat source translations
Pre-NAT Post-NAT Prot Timeout
192.168.22.10 10.255.24.10 tcp 431998

The NAT source TCP connection is from me RDPing into the remote server and trying to connect back to the local file server.