Issue with NAT and VPN

,

I have an issue with NAT and VPN. I based my config on this article: NAT — VyOS 1.4.x (sagitta) documentation and I believe the VyOS side’s config is correct. I can ping and connect to a Remote Desktop server from a file server on the VyOS side, but the Remote Desktop server on the remote side cannot ping or connect back to the file server shares, etc.

We only need to communication between file server, 10.255.24.10 (local, NAT’d to real IP of 192.168.22.10) and remote desktop server, 10.121.122.149 (remote).

set interfaces dummy dum0 address 10.255.24.1/24
set interfaces dummy dum0 address 10.255.24.10/24

set nat destination rule 8000 source address 10.121.50.64/27
set nat destination rule 8000 destination address 10.255.24.10
set nat destination rule 8000 inbound-interface any
set nat destination rule 8000 translation address 192.168.22.10

set nat destination rule 8001 source address 10.121.50.96/27
set nat destination rule 8001 destination address 10.255.24.10
set nat destination rule 8001 inbound-interface any
set nat destination rule 8001 translation address 192.168.22.10

set nat destination rule 8002 source address 10.121.122.128/27
set nat destination rule 8002 destination address 10.255.24.10
set nat destination rule 8002 inbound-interface any
set nat destination rule 8002 translation address 192.168.22.10

set nat destination rule 8003 source address 10.121.122.160/27
set nat destination rule 8003 destination address 10.255.24.10
set nat destination rule 8003 inbound-interface any
set nat destination rule 8003 translation address 192.168.22.10

set nat source rule 8000 outbound-interface any
set nat source rule 8000 source address 192.168.22.10
set nat source rule 8000 destination address 10.121.50.64/27
set nat source rule 8000 translation address 10.255.24.10

set nat source rule 8001 outbound-interface any
set nat source rule 8001 source address 192.168.22.10
set nat source rule 8001 destination address 10.121.50.96/27
set nat source rule 8001 translation address 10.255.24.10

set nat source rule 8002 outbound-interface any
set nat source rule 8002 source address 192.168.22.10
set nat source rule 8002 destination address 10.121.122.128/27
set nat source rule 8002 translation address 10.255.24.10

set nat source rule 8003 outbound-interface any
set nat source rule 8003 source address 192.168.22.10
set nat source rule 8003 destination address 10.121.122.160/27
set nat source rule 8003 translation address 10.255.24.10

set nat source rule 9100 source address 192.168.22.0/24
set nat source rule 9100 outbound-interface eth0
set nat source rule 9100 translation address masquerade

set firewall group network-group RemoteSubnets network 10.121.50.64/27
set firewall group network-group RemoteSubnets network 10.121.50.96/27
set firewall group network-group RemoteSubnets network 10.121.122.128/27
set firewall group network-group RemoteSubnets network 10.121.122.160/27

set firewall group network-group LocalSubnets network 10.255.24.0/24
set firewall group network-group LocalSubnets network 192.168.22.0/24

set firewall name eth0_in rule 11 action accept
set firewall name eth0_in rule 11 source group network-group RemoteSubnets
set firewall name eth0_in rule 11 destination group network-group LocalSubnets

set vpn nat-traversal enable

set vpn ipsec ipsec-interfaces interface eth0

set vpn ipsec ike-group IKE-AES256 proposal 1
set vpn ipsec ike-group IKE-AES256 proposal 1 encryption aes256
set vpn ipsec ike-group IKE-AES256 proposal 1 hash sha1
set vpn ipsec ike-group IKE-AES256 proposal 1 dh-group 5
set vpn ipsec ike-group IKE-AES256 lifetime 86400

set vpn ipsec esp-group ESP-AES256 proposal 1
set vpn ipsec esp-group ESP-AES256 proposal 1 encryption aes256
set vpn ipsec esp-group ESP-AES256 proposal 1 hash sha1
set vpn ipsec esp-group ESP-AES256 pfs disable
set vpn ipsec esp-group ESP-AES256 lifetime 86400

set vpn ipsec site-to-site peer 1.1.1.1 authentication mode pre-shared-secret
edit vpn ipsec site-to-site peer 1.1.1.1
set description Remote
set authentication pre-shared-secret xxxxx
set remote-id 2.2.2.2
set default-esp-group ESP-AES256
set ike-group IKE-AES256
set local-address 3.3.3.3
set tunnel 1 local prefix 10.255.24.0/24
set tunnel 1 remote prefix 10.121.50.64/27

set tunnel 2 local prefix 10.255.24.0/24
set tunnel 2 remote prefix 10.121.50.96/27

set tunnel 3 local prefix 10.255.24.0/24
set tunnel 3 remote prefix 10.121.122.128/27

set tunnel 4 local prefix 10.255.24.0/24
set tunnel 4 remote prefix 10.121.122.160/27 (edited)

How are you trying to access the file share? Browsing usually requires some kind of L2 VPN, which isn’t what you are doing. You should be able to access it directly by \IP\ or \IP\Share though

Typical way for Windows fie shares, using \\10.255.24.10, but it just hangs and then fails.

Are you also using VyOS on the remote side as well? Connecitivity seems to be in place, basically, from your ability to RDP into the “RDP Server” on the remote side (From your file server), but you can’t browse network shares on said file server from the remote side, what can you do from the remote side? Can you ping that file server from the remote side? Any other servers in the same subnet as that file server that you could test?

Have you applied that to the eth0 interface?

It is not a VyOS on the remote side. Cannot ping from the remote RDP server to the local file server either. There aren’t any other servers that the remote side needs to connect to, and I believe they have access lists in place to allow access only to a given set of ports on the file server, and ICMP as they are supposed to be able to ping to the local side as well.

This should be easier than it has been since we are just moving the file server to a new network, and the remote side already had a similarly configured VPN to the previous site for the file server. We’ve compared the VyOS VPN config to the VPN config at the previous site and they are very similar, with some exceptions, such as different subnets and a request from the remote side to use a 1-to-1 NAT instead of using a /24 to /24 NAT as was used previously. But both configs on both sides should be based on previous successfully working configs

Yes, I have applied the eth0_in access list to the eth0 interface. We do have 2 other VPNs successfully setup on the local VyOS, but they do not need to use NAT as with this VPN. Similar rules are setup for those VPNs in the same eth0_in access list.

Can you attempt to access resources on the file server from the RDP side again, run some ICMP, etc. While doing this, on your side, take a look at the nat translations and provide that.

Below are translations when trying to connect from the local file server to the remote server:

vyos@router01:~$ show nat destination translations
Pre-NAT Post-NAT Prot Timeout
10.121.122.149 10.121.122.149 icmp 29

vyos@router01:~$ show nat source translations
Pre-NAT Post-NAT Prot Timeout
192.168.22.10 10.255.24.10 tcp 431989
192.168.22.10 10.255.24.10 icmp 29

Below are translations when trying to connect from the remote server to the local file server:

vyos@router01:~$ show nat destination translations
Pre-NAT Post-NAT Prot Timeout

vyos@router01:~$ show nat source translations
Pre-NAT Post-NAT Prot Timeout
192.168.22.10 10.255.24.10 tcp 431998

The NAT source TCP connection is from me RDPing into the remote server and trying to connect back to the local file server.

Look it’s very important that your FW / NAT rules are good, I had an issue that I could ping from vyos to fortigate, but after hours pinging from fortigate to vyos local network was impossible. Really anoying. It ended up te be, that I had a duplicate rule like OUTSIDE-IN and LOCAL-IN, for that local network. This broke the Vyos. This is the rule you need:

set firewall name OUTSIDE-IN rule 33 action ‘accept’
set firewall name OUTSIDE-IN rule 33 destination address ‘10.0.10.0/24’
set firewall name OUTSIDE-IN rule 33 source address ‘192.168.1.0/24’

Be bloody sure you have a proper rule. And don’t put it on OUTSIDE-LOCAL when your using site-to-site vpn. It wil brake. It took me 4 weeks to figure this the **** out. I hope I can help you with this. Also you of course need this:

set firewall name OUTSIDE-IN rule 60 action ‘accept’
set firewall name OUTSIDE-IN rule 60 ipsec match-ipsec

Also only on the OUTSIDE-IN !!!

You need these on top of the router firewall:

set firewall all-ping ‘enable’
set firewall broadcast-ping ‘disable’
set firewall config-trap ‘disable’
set firewall ipv6-receive-redirects ‘disable’
set firewall ipv6-src-route ‘disable’
set firewall ip-src-route ‘disable’
set firewall log-martians ‘enable’

and this is my vpn config:

set vpn ipsec esp-group fw-esp compression ‘disable’
set vpn ipsec esp-group fw-esp lifetime ‘3600’
set vpn ipsec esp-group fw-esp mode ‘tunnel’
set vpn ipsec esp-group fw-esp pfs ‘enable’
set vpn ipsec esp-group fw-esp proposal 1 encryption ‘aes256’
set vpn ipsec esp-group fw-esp proposal 1 hash ‘sha512’
set vpn ipsec ike-group fw-ike close-action ‘none’
set vpn ipsec ike-group fw-ike ikev2-reauth ‘no’
set vpn ipsec ike-group fw-ike key-exchange ‘ikev2’
set vpn ipsec ike-group fw-ike lifetime ‘1800’
set vpn ipsec ike-group fw-ike proposal 1 dh-group ‘21’
set vpn ipsec ike-group fw-ike proposal 1 encryption ‘aes256’
set vpn ipsec ike-group fw-ike proposal 1 hash ‘sha512’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec site-to-site peer remotepeeriphere authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer remotepeeriphere authentication pre-shared-secret ‘xxxxxxxxxxxx’
set vpn ipsec site-to-site peer remotepeeriphere connection-type ‘initiate’
set vpn ipsec site-to-site peer remotepeeriphere ike-group ‘fw-ike’
set vpn ipsec site-to-site peer remotepeeriphere ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer remotepeeriphere local-address outsidewaniphereofthevyos
set vpn ipsec site-to-site peer remotepeeriphere tunnel 0 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer 8remotepeeriphere tunnel 0 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer remotepeeriphere tunnel 0 esp-group ‘c9n-fw-esp’
set vpn ipsec site-to-site peer remotepeeriphere tunnel 0 local prefix ‘10.0.10.0/24’
set vpn ipsec site-to-site peer remotepeeriphere tunnel 0 remote prefix ‘192.168.1.0/24’:

If you have questions just mail me on tintrasagnethiu@gmail.com

Good luck!

Btw you need this to:

set nat source rule 10 destination address ‘192.168.1.0/24’
set nat source rule 10 exclude
set nat source rule 10 outbound-interface ‘eth0’
set nat source rule 10 source address ‘10.0.10.0/24’
set nat source rule 100 outbound-interface ‘eth0’
set nat source rule 100 source address ‘10.0.10.0/24’
set nat source rule 100 translation address ‘masquerade’

You do not need to put static route for vpn networks, it will automatically do this! Btw I have dead peer detection on the fortigate side, otherwise it can go down I’ve noticed.

PPS my fortigate config cli:

FGT60E # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit “tunnel-name”
set interface “wan1”
set ike-version 2
set keylife 1800
set peertype any
set proposal aes256-sha512
set comments “VPN: tunnel-name (Created by VPN wizard)”
set dhgrp 21
set remote-gw remotegwiphere
set psksecret ENC encryptedsecrethere
next
end

FGT60E # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit “tunnel-name”
set phase1name “tunnel-name”
set proposal aes256-sha512
set pfs disable
set replay disable
set auto-negotiate enable
set comments “VPN: tunnel-name (Created by VPN wizard)”
set src-addr-type name
set dst-addr-type name
set keylifeseconds 3600
set src-name “tunnel-name_local”
set dst-name “tunnel-name_remote”
next
end