Masquerade outgoing VPN traffic to source of VyOS Internal IP

Hi,
I hope my question is easy to answer …
I am setting up an IPSec VPN with VyOS 1.3-rolling-202006081325 and a Cisco device (unclear what type, only know it has VPN capabilities).

Due to the Cisco side’s demands I am having to provide them an internal IP as host, and I chose the VyOS 's LAN interface for this.
Tunnel is connected, but I can see no traffic passing through it, and I suspect my source nat is wrong.
My configuration is like this:

set vpn ipsec ike-group ike-to-cisco-device close-action ‘none’
set vpn ipsec ike-group ike-to-cisco-device ikev2-reauth ‘no’
set vpn ipsec ike-group ike-to-cisco-device key-exchange ‘ikev1’
set vpn ipsec ike-group ike-to-cisco-device lifetime ‘86400’
set vpn ipsec ike-group ike-to-cisco-device proposal 1 dh-group ‘2’
set vpn ipsec ike-group ike-to-cisco-device proposal 1 encryption ‘aes256’
set vpn ipsec ike-group ike-to-cisco-device proposal 1 hash ‘sha1’

set vpn ipsec esp-group esp-to-cisco-device compression ‘disable’
set vpn ipsec esp-group esp-to-cisco-device lifetime ‘28800’
set vpn ipsec esp-group esp-to-cisco-device mode ‘tunnel’
set vpn ipsec esp-group esp-to-cisco-device pfs ‘disable’
set vpn ipsec esp-group esp-to-cisco-device proposal 1 encryption ‘aes256’
set vpn ipsec esp-group esp-to-cisco-device proposal 1 hash ‘sha1’

set vpn ipsec site-to-site peer cisco-peer-ip authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer cisco-peer-ip authentication pre-shared-secret ‘secret’
set vpn ipsec site-to-site peer cisco-peer-ip connection-type ‘initiate’
set vpn ipsec site-to-site peer cisco-peer-ip default-esp-group ‘esp-to-cisco-device’
set vpn ipsec site-to-site peer cisco-peer-ip description ‘IPSec to Cisco Device’
set vpn ipsec site-to-site peer cisco-peer-ip ike-group ‘ike-to-cisco-device’
set vpn ipsec site-to-site peer cisco-peer-ip ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer cisco-peer-ip local-address ‘vyos-peer-ip’
set vpn ipsec site-to-site peer cisco-peer-ip tunnel 0 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer cisco-peer-ip tunnel 0 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer cisco-peer-ip tunnel 0 local prefix ‘vyos-lan-ip/32’
set vpn ipsec site-to-site peer cisco-peer-ip tunnel 0 remote prefix ‘10.0.90.82/32’

set nat source rule 101 description ‘to to-cisco-device 10.0.90.82’
set nat source rule 101 destination address ‘10.0.90.82/32’
set nat source rule 101 exclude
set nat source rule 101 outbound-interface ‘eth2’
set nat source rule 101 source address ‘vyos-subnet/16’
set nat source rule 101 translation address ‘vyos-lan-ip’

I am really stumped by traffic not using the tunnel to reach the destination peer’s host IP.
Please, what am I doing wrong?

Please share output of show vpn ipsec sa, and there we can see if counters are increased or not.
Also, please share ouput of show ip route and show ip route table 220

I see that you specified vyos-lan-ip/32 for local prefix. This will only match traffic that is generated by the router, with that ip. How are you testing connectivity? Please share test too.

probably, sNAT kicks in after ipsec policy match. So your IPSEC policy won’t match, and packets won’t get tunneled.
Way around this is using a VTI tunnel or GRE inside the ipsec tunnel you already have

Hmm. I am testing with netcat from hosts sitting behind the router(on the different subnets it manages).
Counters arent being increased. This is what made me ask for help in whatever I am doing wrong, really.
I dont want to expose the entire subnet behind the router (a /16) to the Cisco VPN.

show vpn ipsec sa for the relevant tunnel is
peer-cisco-peer-ip-tunnel-0 up 1h55m4s 0B/0B 0/0 cisco-peer-ip N/A AES_CBC_256/HMAC_SHA1_96

ip route and ip route table 220 dont list any of the IPs involved with this tunnel. Is that weird?

Rethinking…
sNAT should come before IPSEC policy matching. Normally, on S2S tunnel, we need a NAT exclude.
So instead of turning into a route based VPN (which will work), check to see eth2 is interface where S2S originates, otherwise NAT rule won’t work.
When trying to ping, check conntrack to see if translation is active
And test without NAT, by pinging from VyOS itself.

I guess thats whats happening now, I asked them to modify the host IP from the vyOS’s internal IP, to the external IP, and traffic flows through the tunnel now.
So the vyOS’s WAN IP is both host and peer.

Now I notice this in original config:
set nat source rule 101 exclude
Instead of exclude, you need sNAT. And rule 101 should come before default masquerade

Thank you! I will test that out