Hello.
After upgrading VyOS to Crux I can’t to connect via l2tp+ipsec to VyOS without NAT in my configuration.
But in 1.1.7 and 1.1.8 it works perfectly. I don’t need NAT.
I’ve tried it in rolling and self build Crux images with the same result.
Here is my config:
interfaces { ethernet eth0 { address dhcp } ethernet eth1 { address dhcp } ethernet eth2 { address dhcp } loopback lo { } } service { ssh { disable-host-validation } } system { config-management { commit-revisions 100 } console { device ttyS0 { speed 9600 } } host-name <some-host-name> login { user rvv { authentication { encrypted-password <some_hash> plaintext-password "" public-keys some-identifier { key <some-public-key> ssh-rsa } } level admin } } syslog { global { facility all { level info } facility protocols { level debug } } } } vpn { ipsec { ipsec-interfaces { interface eth2 } nat-networks { allowed-network 0.0.0.0/0 { } } nat-traversal enable } l2tp { remote-access { authentication { local-users { username TestUser1 { password SOMEPASS static-ip 192.168.10.20 } } mode local } client-ip-pool { start 192.168.10.17 stop 192.168.10.30 } idle 1800 ipsec-settings { authentication { mode pre-shared-secret pre-shared-secret some_pre_shared_secret } ike-lifetime 3600 lifetime 3600 } outside-address <VyOS-public-ip> } } }
Logs:
Aug 16 14:04:01 vyos charon: 06[NET] received packet: from <client-public-ip>[500] to <VyOS-public-ip>[500] (788 bytes) Aug 16 14:04:01 vyos charon: 06[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ] Aug 16 14:04:01 vyos charon: 06[IKE] received NAT-T (RFC 3947) vendor ID Aug 16 14:04:01 vyos charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID Aug 16 14:04:01 vyos charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID Aug 16 14:04:01 vyos charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID Aug 16 14:04:01 vyos charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID Aug 16 14:04:01 vyos charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID Aug 16 14:04:01 vyos charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID Aug 16 14:04:01 vyos charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID Aug 16 14:04:01 vyos charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID Aug 16 14:04:01 vyos charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 16 14:04:01 vyos charon: 06[IKE] received FRAGMENTATION vendor ID Aug 16 14:04:01 vyos charon: 06[IKE] received DPD vendor ID Aug 16 14:04:01 vyos charon: 06[IKE] <client-public-ip> is initiating a Main Mode IKE_SA Aug 16 14:04:01 vyos charon: 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Aug 16 14:04:01 vyos charon: 06[ENC] generating ID_PROT response 0 [ SA V V V V ] Aug 16 14:04:01 vyos charon: 06[NET] sending packet: from <VyOS-public-ip>[500] to <client-public-ip>[500] (160 bytes) Aug 16 14:04:01 vyos charon: 16[NET] received packet: from <client-public-ip>[500] to <VyOS-public-ip>[500] (228 bytes) Aug 16 14:04:01 vyos charon: 16[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Aug 16 14:04:01 vyos charon: 16[IKE] remote host is behind NAT Aug 16 14:04:01 vyos charon: 16[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Aug 16 14:04:01 vyos charon: 16[NET] sending packet: from <VyOS-public-ip>[500] to <client-public-ip>[500] (244 bytes) Aug 16 14:04:01 vyos charon: 13[NET] received packet: from <client-public-ip>[4500] to <VyOS-public-ip>[4500] (108 bytes) Aug 16 14:04:01 vyos charon: 13[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Aug 16 14:04:01 vyos charon: 13[CFG] looking for pre-shared key peer configs matching <VyOS-public-ip>...<client-public-ip>[10.9.0.66] Aug 16 14:04:01 vyos charon: 13[CFG] selected peer config "remote-access" Aug 16 14:04:01 vyos charon: 13[IKE] IKE_SA remote-access[18] established between <VyOS-public-ip>[<VyOS-public-ip>]...<client-public-ip>[10.9.0.66] Aug 16 14:04:01 vyos charon: 13[ENC] generating ID_PROT response 0 [ ID HASH ] Aug 16 14:04:01 vyos charon: 13[NET] sending packet: from <VyOS-public-ip>[4500] to <client-public-ip>[4500] (76 bytes) Aug 16 14:04:02 vyos charon: 08[NET] received packet: from <client-public-ip>[4500] to <VyOS-public-ip>[4500] (316 bytes) Aug 16 14:04:02 vyos charon: 08[ENC] parsed QUICK_MODE request 4255456000 [ HASH SA No ID ID NAT-OA NAT-OA ] Aug 16 14:04:02 vyos charon: 08[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Aug 16 14:04:02 vyos charon: 08[IKE] received 3600s lifetime, configured 0s Aug 16 14:04:02 vyos charon: 08[ENC] generating QUICK_MODE response 4255456000 [ HASH SA No ID ID NAT-OA NAT-OA ] Aug 16 14:04:02 vyos charon: 08[NET] sending packet: from <VyOS-public-ip>[4500] to <client-public-ip>[4500] (204 bytes) Aug 16 14:04:02 vyos charon: 11[NET] received packet: from <client-public-ip>[4500] to <VyOS-public-ip>[4500] (60 bytes) Aug 16 14:04:02 vyos charon: 11[ENC] parsed QUICK_MODE request 4255456000 [ HASH ] Aug 16 14:04:02 vyos charon: 11[IKE] CHILD_SA remote-access{18} established with SPIs cf4e5413_i 07ed3e41_o and TS <VyOS-public-ip>/32[udp/l2f] === <client-public-ip>/32[udp/63649] Aug 16 14:04:08 vyos xl2tpd[11830]: Maximum retries exceeded for tunnel 2106. Closing. Aug 16 14:04:08 vyos xl2tpd[11830]: Connection 43 closed to <client-public-ip>, port 63649 (Timeout) Aug 16 14:04:18 vyos xl2tpd[11830]: Maximum retries exceeded for tunnel 48596. Closing. Aug 16 14:04:18 vyos xl2tpd[11830]: Connection 43 closed to <client-public-ip>, port 63649 (Timeout) Aug 16 14:04:22 vyos charon: 15[NET] received packet: from <client-public-ip>[4500] to <VyOS-public-ip>[4500] (76 bytes) Aug 16 14:04:22 vyos charon: 15[ENC] parsed INFORMATIONAL_V1 request 15440767 [ HASH D ] Aug 16 14:04:22 vyos charon: 15[IKE] received DELETE for ESP CHILD_SA with SPI 07ed3e41 Aug 16 14:04:22 vyos charon: 15[IKE] closing CHILD_SA remote-access{18} with SPIs cf4e5413_i (576 bytes) 07ed3e41_o (0 bytes) and TS <VyOS-public-ip>/32[udp/l2f] === <client-public-ip>/32[udp/63649] Aug 16 14:04:22 vyos charon: 05[NET] received packet: from <client-public-ip>[4500] to <VyOS-public-ip>[4500] (92 bytes) Aug 16 14:04:22 vyos charon: 05[ENC] parsed INFORMATIONAL_V1 request 2900389333 [ HASH D ] Aug 16 14:04:22 vyos charon: 05[IKE] received DELETE for IKE_SA remote-access[18] Aug 16 14:04:22 vyos charon: 05[IKE] deleting IKE_SA remote-access[18] between <VyOS-public-ip>[<VyOS-public-ip>]...<client-public-ip>[10.9.0.66]
If I add the following lines I successfully connect to the VyOS:
set nat source rule 110 outbound-interface 'eth2' set nat source rule 110 source address '192.168.10.16/28' set nat source rule 110 translation address 'masquerade'
Logs of successful connection:
Aug 16 14:13:51 vyos charon: 06[NET] received packet: from <client-public-ip>[500] to <VyOS-public-ip>[500] (788 bytes) Aug 16 14:13:51 vyos charon: 06[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ] Aug 16 14:13:51 vyos charon: 06[IKE] received NAT-T (RFC 3947) vendor ID Aug 16 14:13:51 vyos charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID Aug 16 14:13:51 vyos charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID Aug 16 14:13:51 vyos charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID Aug 16 14:13:51 vyos charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID Aug 16 14:13:51 vyos charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID Aug 16 14:13:51 vyos charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID Aug 16 14:13:51 vyos charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID Aug 16 14:13:51 vyos charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID Aug 16 14:13:51 vyos charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 16 14:13:51 vyos charon: 06[IKE] received FRAGMENTATION vendor ID Aug 16 14:13:51 vyos charon: 06[IKE] received DPD vendor ID Aug 16 14:13:51 vyos charon: 06[IKE] <client-public-ip> is initiating a Main Mode IKE_SA Aug 16 14:13:51 vyos charon: 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Aug 16 14:13:51 vyos charon: 06[ENC] generating ID_PROT response 0 [ SA V V V V ] Aug 16 14:13:51 vyos charon: 06[NET] sending packet: from <VyOS-public-ip>[500] to <client-public-ip>[500] (160 bytes) Aug 16 14:13:51 vyos charon: 16[NET] received packet: from <client-public-ip>[500] to <VyOS-public-ip>[500] (228 bytes) Aug 16 14:13:51 vyos charon: 16[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Aug 16 14:13:51 vyos charon: 16[IKE] remote host is behind NAT Aug 16 14:13:51 vyos charon: 16[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Aug 16 14:13:51 vyos charon: 16[NET] sending packet: from <VyOS-public-ip>[500] to <client-public-ip>[500] (244 bytes) Aug 16 14:13:51 vyos charon: 13[NET] received packet: from <client-public-ip>[4500] to <VyOS-public-ip>[4500] (108 bytes) Aug 16 14:13:51 vyos charon: 13[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Aug 16 14:13:51 vyos charon: 13[CFG] looking for pre-shared key peer configs matching <VyOS-public-ip>...<client-public-ip>[10.9.0.66] Aug 16 14:13:51 vyos charon: 13[CFG] selected peer config "remote-access" Aug 16 14:13:51 vyos charon: 13[IKE] IKE_SA remote-access[19] established between <VyOS-public-ip>[<VyOS-public-ip>]...<client-public-ip>[10.9.0.66] Aug 16 14:13:51 vyos charon: 13[ENC] generating ID_PROT response 0 [ ID HASH ] Aug 16 14:13:51 vyos charon: 13[NET] sending packet: from <VyOS-public-ip>[4500] to <client-public-ip>[4500] (76 bytes) Aug 16 14:13:52 vyos charon: 08[NET] received packet: from <client-public-ip>[4500] to <VyOS-public-ip>[4500] (316 bytes) Aug 16 14:13:52 vyos charon: 08[ENC] parsed QUICK_MODE request 216814678 [ HASH SA No ID ID NAT-OA NAT-OA ] Aug 16 14:13:52 vyos charon: 08[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Aug 16 14:13:52 vyos charon: 08[IKE] received 3600s lifetime, configured 0s Aug 16 14:13:52 vyos charon: 08[ENC] generating QUICK_MODE response 216814678 [ HASH SA No ID ID NAT-OA NAT-OA ] Aug 16 14:13:52 vyos charon: 08[NET] sending packet: from <VyOS-public-ip>[4500] to <client-public-ip>[4500] (204 bytes) Aug 16 14:13:52 vyos charon: 11[NET] received packet: from <client-public-ip>[4500] to <VyOS-public-ip>[4500] (60 bytes) Aug 16 14:13:52 vyos charon: 11[ENC] parsed QUICK_MODE request 216814678 [ HASH ] Aug 16 14:13:52 vyos charon: 11[IKE] CHILD_SA remote-access{19} established with SPIs cd6f9289_i 091167b9_o and TS <VyOS-public-ip>/32[udp/l2f] === <client-public-ip>/32[udp/55158] Aug 16 14:13:52 vyos xl2tpd[11830]: Connection established to <client-public-ip>, 55158. Local: 38383, Remote: 44 (ref=0/0). LNS session is 'default' Aug 16 14:13:52 vyos xl2tpd[11830]: Call established with <client-public-ip>, Local: 56587, Remote: 41258, Serial: 1 Aug 16 14:13:52 vyos pppd[25726]: pppd 2.4.7 started by root, uid 0 Aug 16 14:13:52 vyos netplugd[928]: ppp0: ignoring event Aug 16 14:13:52 vyos pppd[25726]: Using interface ppp0 Aug 16 14:13:52 vyos pppd[25726]: Connect: ppp0 <--> /dev/pts/1 Aug 16 14:13:55 vyos pppd[25726]: Warning - secret file /etc/ppp/chap-secrets has world and/or group access Aug 16 14:13:55 vyos pppd[25726]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received Aug 16 14:13:55 vyos pppd[25726]: Unsupported protocol 'Apple Client Server Protocol Control' (0x8235) received Aug 16 14:13:56 vyos kernel: [33191.100211] l2tp0: renamed from ppp0 Aug 16 14:13:56 vyos pppd[25726]: Cannot determine ethernet address for proxy ARP Aug 16 14:13:56 vyos pppd[25726]: local IP address 10.255.255.0 Aug 16 14:13:56 vyos pppd[25726]: remote IP address 192.168.10.20 Aug 16 14:13:56 vyos pppd[25726]: Protocol-Reject for unsupported protocol 'IPv6' (0x57) Aug 16 14:13:57 vyos pppd[25726]: Protocol-Reject for unsupported protocol 'IPv6' (0x57)
I would really appreciate your advice.