Hi,
I hope my question is easy to answer …
I am setting up an IPSec VPN with VyOS 1.3-rolling-202006081325 and a Cisco device (unclear what type, only know it has VPN capabilities).
Due to the Cisco side’s demands I am having to provide them an internal IP as host, and I chose the VyOS 's LAN interface for this.
Tunnel is connected, but I can see no traffic passing through it, and I suspect my source nat is wrong.
My configuration is like this:
set vpn ipsec ike-group ike-to-cisco-device close-action ‘none’
set vpn ipsec ike-group ike-to-cisco-device ikev2-reauth ‘no’
set vpn ipsec ike-group ike-to-cisco-device key-exchange ‘ikev1’
set vpn ipsec ike-group ike-to-cisco-device lifetime ‘86400’
set vpn ipsec ike-group ike-to-cisco-device proposal 1 dh-group ‘2’
set vpn ipsec ike-group ike-to-cisco-device proposal 1 encryption ‘aes256’
set vpn ipsec ike-group ike-to-cisco-device proposal 1 hash ‘sha1’set vpn ipsec esp-group esp-to-cisco-device compression ‘disable’
set vpn ipsec esp-group esp-to-cisco-device lifetime ‘28800’
set vpn ipsec esp-group esp-to-cisco-device mode ‘tunnel’
set vpn ipsec esp-group esp-to-cisco-device pfs ‘disable’
set vpn ipsec esp-group esp-to-cisco-device proposal 1 encryption ‘aes256’
set vpn ipsec esp-group esp-to-cisco-device proposal 1 hash ‘sha1’set vpn ipsec site-to-site peer cisco-peer-ip authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer cisco-peer-ip authentication pre-shared-secret ‘secret’
set vpn ipsec site-to-site peer cisco-peer-ip connection-type ‘initiate’
set vpn ipsec site-to-site peer cisco-peer-ip default-esp-group ‘esp-to-cisco-device’
set vpn ipsec site-to-site peer cisco-peer-ip description ‘IPSec to Cisco Device’
set vpn ipsec site-to-site peer cisco-peer-ip ike-group ‘ike-to-cisco-device’
set vpn ipsec site-to-site peer cisco-peer-ip ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer cisco-peer-ip local-address ‘vyos-peer-ip’
set vpn ipsec site-to-site peer cisco-peer-ip tunnel 0 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer cisco-peer-ip tunnel 0 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer cisco-peer-ip tunnel 0 local prefix ‘vyos-lan-ip/32’
set vpn ipsec site-to-site peer cisco-peer-ip tunnel 0 remote prefix ‘10.0.90.82/32’set nat source rule 101 description ‘to to-cisco-device 10.0.90.82’
set nat source rule 101 destination address ‘10.0.90.82/32’
set nat source rule 101 exclude
set nat source rule 101 outbound-interface ‘eth2’
set nat source rule 101 source address ‘vyos-subnet/16’
set nat source rule 101 translation address ‘vyos-lan-ip’
I am really stumped by traffic not using the tunnel to reach the destination peer’s host IP.
Please, what am I doing wrong?