NAT for traffic to pass through IPSec Tunnel with VRRP IPs

sinaowolabi · June 29, 2022, 2:46pm

Hi
I am using version 1.4-rolling-202204140217.
I have a VPN tunnel setup using the VyOS’ 2 VRRP IP addresses (one as host, the other as peer), which requires I SNAT the traffic from the internal subnets behind the VyOS as one of the VRRP IPs.
Unfortunately I am unable to successfully SNAT, and traffic from the internal subnets cannot board the tunnel. I would appreciate some assistance in figuring out what I am doing wrong.
I need to SNAT traffic from 10.100.0.0/16 to 81.B.B.B in order to reach VPN host subnet at the other side 172.24.96.0/20, while 81.A.A.A forms the tunnel.

My configuration is like this:

#run show interfaces
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             81.C.C.C/27                   u/u  WAN
                 81.A.A.A/27                        
                 81B.B.B/27

# show nat source
 rule 5 {
     destination {
         address 172.24.96.0/20
     }
     exclude
     outbound-interface eth0
 }
 rule 10 {
     outbound-interface eth0
     source {
         address 10.100.0.0/16
     }
     translation {
         address 81.B.B.B
     }
 }

No traffic on the VPN

peer_196-X-X-X_tunnel_0  up       39m7s     0B/0B           0B/0B             196.X.X.X     196.X.X.X  AES_CBC_256/HMAC_SHA1_96
peer_196-X-X-X_tunnel_1  up       40m19s    0B/0B           0B/0B             196.X.X.X     196.X.X.X  AES_CBC_256/HMAC_SHA1_96
peer_196-X-X-X_tunnel_2  up       39m42s    0B/0B           0B/0B             196.X.X.X     196.X.X.X  AES_CBC_256/HMAC_SHA1_96
peer_196-X-X-X_tunnel_3  up       39m6s     0B/0B           0B/0B             196.X.X.X     196.X.X.X  AES_CBC_256/HMAC_SHA1_96
peer_196-X-X-X_tunnel_4  up       38m51s    0B/0B           0B/0B             196.X.X.X     196.X.X.X  AES_CBC_256/HMAC_SHA1_96
peer_196-X-X-X_tunnel_5  up       40m11s    0B/0B           0B/0B             196.X.X.X     196.X.X.X  AES_CBC_256/HMAC_SHA1_96

fernando · June 29, 2022, 8:30pm

hi

I think we need more information about what type of tunnel do you use? (base-VPN or route-VPN) , also if you have a LAN interface or just one interface(eth0). however, if you are configured well your tunnel, should be able to reach another site of VPN without Nat settings.

fernando.

sinaowolabi · June 30, 2022, 7:38am

Apologies.
Its a site to site VPN (I guess based? Not really sure).
My VPN configuration is like this:

set vpn ipsec esp-group esp-s2s compression 'disable'
set vpn ipsec esp-group esp-s2s lifetime '3600'
set vpn ipsec esp-group esp-s2s mode 'tunnel'
set vpn ipsec esp-group esp-s2s pfs 'disable'
set vpn ipsec esp-group esp-s2s proposal 1 encryption 'aes256'
set vpn ipsec esp-group esp-s2s proposal 1 hash 'sha1'
set vpn ipsec ike-group ike-s2s dead-peer-detection action 'clear'
set vpn ipsec ike-group ike-s2s dead-peer-detection interval '30'
set vpn ipsec ike-group ike-s2s dead-peer-detection timeout '90'
set vpn ipsec ike-group ike-s2s ikev2-reauth 'no'
set vpn ipsec ike-group ike-s2s key-exchange 'ikev1'
set vpn ipsec ike-group ike-s2s lifetime '86400'
set vpn ipsec ike-group ike-s2s proposal 1 dh-group '2'
set vpn ipsec ike-group ike-s2s proposal 1 encryption 'aes256'
set vpn ipsec ike-group ike-s2s proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer 196.X.X.X local-address '81.A.A.A'

set vpn ipsec site-to-site peer 196.X.X.X authentication id '81.A.A.A'
set vpn ipsec site-to-site peer 196.X.X.X authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 196.X.X.X authentication pre-shared-secret ''
set vpn ipsec site-to-site peer 196.X.X.X authentication remote-id '196.X.X.X'
set vpn ipsec site-to-site peer 196.X.X.X connection-type 'initiate'
set vpn ipsec site-to-site peer 196.X.X.X ike-group 'ike-s2s'
set vpn ipsec site-to-site peer 196.X.X.X tunnel 0 esp-group 'esp-s2s'
set vpn ipsec site-to-site peer 196.X.X.X tunnel 0 local prefix '81.B.B.B/32'
set vpn ipsec site-to-site peer 196.X.X.X tunnel 0 remote prefix '172.24.98.155/32'
set vpn ipsec site-to-site peer 196.X.X.X tunnel 1 esp-group 'esp-s2s'
set vpn ipsec site-to-site peer 196.X.X.X tunnel 1 local prefix '81.B.B.B/32'
set vpn ipsec site-to-site peer 196.X.X.X tunnel 1 remote prefix '172.24.98.157/32'
set vpn ipsec site-to-site peer 196.X.X.X tunnel 2 esp-group 'esp-s2s'
set vpn ipsec site-to-site peer 196.X.X.X tunnel 2 local prefix '81.B.B.B/32'
set vpn ipsec site-to-site peer 196.X.X.X tunnel 2 remote prefix '172.24.96.62/32'
set vpn ipsec site-to-site peer 196.X.X.X tunnel 3 esp-group 'esp-s2s'
set vpn ipsec site-to-site peer 196.X.X.X tunnel 3 local prefix '81.B.B.B/32'
set vpn ipsec site-to-site peer 196.X.X.X tunnel 3 remote prefix '172.24.96.64/32'
set vpn ipsec site-to-site peer 196.X.X.X tunnel 4 esp-group 'esp-s2s'
set vpn ipsec site-to-site peer 196.X.X.X tunnel 4 local prefix '81.B.B.B/32'
set vpn ipsec site-to-site peer 196.X.X.X tunnel 4 remote prefix '172.24.104.65/32'
set vpn ipsec site-to-site peer 196.X.X.X tunnel 5 esp-group 'esp-s2s'
set vpn ipsec site-to-site peer 196.X.X.X tunnel 5 local prefix '81.B.B.B/32'
set vpn ipsec site-to-site peer 196.X.X.X tunnel 5 remote prefix '172.24.106.65/32'

fernando · June 30, 2022, 3:31pm

well , there are some points that could cause the problem.

traffic selectors don’t match with this requirement ( 172.24.96.0/20 - you used all /32)
10.100.0.0/16 no present configuration
exclude nat isn’t necessary

if I understood , you want a translation form 10.100.0.0/16 to 8.1.b.b .it should be something like this :

set nat source rule 10 destination address '172.24.96.0/20'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '10.100.0.0/16'
set nat source rule 10 translation address '8.b.b.b'

and DNAT with the same logic

regards, fernando

sinaowolabi · June 30, 2022, 6:39pm

Thanks a lot! NAT is working correctly now, but unfortunately, tunnel is still being ignored. Could it be because I am using a subnet for NAT, instead of using the discrete IPs in the VPN configuration?

sinaowolabi · July 1, 2022, 8:02am

Even after reducing 172.24.96.0/20 to individual IPs, traffic still isnt onboarding the tunnel. Really stumped.

Nikolay · July 1, 2022, 9:09am

Usually LAN traffic towards the WAN is the target for NAT
And traffic from the local LAN to the remote LAN is the target for IPsec
So in your case I would do something like this:

set vpn ipsec site-to-site peer 196.X.X.X tunnel 1 local prefix '10.100.0.0/16'
set vpn ipsec site-to-site peer 196.X.X.X tunnel 1 remote prefix '172.24.96.0/20'

However, I may have completely misunderstood your task.
Could you draw a little diagram of what you want to achieve?

sinaowolabi · July 1, 2022, 10:52am

Certainly, apologies for any misconceptions.
I am trying to setup a VPN between another side (peer IP 196.X.X.X, remote prefix, 172.A.A.A/32, 172.B.B.B/32…) and the VRRP IPs on VyOS (peer 81.A.A.A, local prefix 81.B.B.B).
This means I need to NAT all subnets behind the VyOSes as 81.B.B.B, which I can do, but the traffic is being sent over the internet instead of through the tunnel.

16again · July 1, 2022, 4:29pm

@fernando What do you mean, NAT exclude isn’t necessary?
sNAT rules in topic start look OK to me.
But if some hidden rule already does NAT exclude, rule 10 will never kick in.

sinaowolabi · July 2, 2022, 7:52am

The already existing NAT excludes are for other VPN public remote prefixes.
I find that when I do NAT exclude (in a source rule 5, before any others) for this destination, the NAT to convert 10.100.0.0/16 to 81.B.B.B no longer applies.
The problem for me is, why doesnt it onboard the tunnel?

16again · July 2, 2022, 10:30am

If rule 5 matches, NAT processing stops, and sNAT in rule 10 won’t be hit.
Then packets will not enter the tunnel, as vpn-policy won’t be met. All local/remote policies have 81.B.B.B as source address, but packet still has original LAN source IP

sinaowolabi · July 2, 2022, 1:58pm

Yes. Also excluding at rule 10 does not help either. Im also not sure I saw the point of the destination nat with the same logic … either I did it wrong or it doesnt make a difference, the source nat works.
Or could not having a working DNAT be why encapsulation isnt happening?

sinaowolabi · July 2, 2022, 2:03pm

I suppose I could use an IP from each VyOS subnet to make use of the VPN tunnel … would this be easier?
And would VyOS all traffic from ALL subnets behind it to appear as the IPs selected, and encapsulate as needed?

16again · July 3, 2022, 7:10am

You don’t need dNAT to encapsulate your outgoing packets. dNAT is only needed if you have servers on your end, and the remote end needs to access using the tunnel

sinaowolabi · July 4, 2022, 7:35am

Yes, you are right.
I guess I cant get SNAT to work with an external IP local prefix.