NAT + IPSec VPN


#1

I’m trying to set up a VPN on VyOS to match the instructions given here for a Cisco ASA.

Near as I can make out that should be satisfied with this config:

interfaces {
    vti vti0 {
        address 172.29.41.100/32
    }
}
nat {
    source {
        rule 110 {
            description "Outbound to Sunrise"
            destination {
                address 172.27.1.0/24
            }
            outbound-interface vti0
            source {
                address INTERNAL_SUBNET
            }
            translation {
                address 172.29.41.100
            }
        }
        rule 120 {
            description "Outbound to Sunrise"
            destination {
                address 10.125.0.0/16
            }
            outbound-interface vti0
            source {
                address INTERNAL_SUBNET
            }
            translation {
                address 172.29.41.100
            }
        }
    }
}
vpn {
    ipsec {
        esp-group ebix-sunrise-esp {
            compression disable
            lifetime 3600
            mode tunnel
            pfs disable
            proposal 1 {
                encryption 3des
                hash md5
            }
        }
        ike-group ebix-sunrise-ike {
            ikev2-reauth no
            key-exchange ikev1
            lifetime 7800
            proposal 1 {
                dh-group 2
                encryption 3des
                hash md5
            }
        }
        ipsec-interfaces {
            interface eth1
        }
        nat-traversal enable
        site-to-site {
            peer EBIX_PEER_IP {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                default-esp-group ebix-sunrise-esp
                ike-group ebix-sunrise-ike
                ikev2-reauth inherit
                local-address EXTERNAL_REQD_SOURCE_IP
                vti {
                    bind vti0
                }
            }
        }
    }
}

Local subnet is 172.16.0.0/24, and as you can see from the document, access to sites on the other side of the VPN requires that the source be NAT’d to a 172.29 address (172.29.41.100 is the example). On the far side of the VPN are two subnets, 172.27.1.0/24 and 10.125.0.0/16.

Problem is it doesn’t work and I can’t see anything in the logs to describe why. I think I have the NAT correct, but apparently the proposal isn’t being accepted (or sent??)

Suggestions very welcome (e.g. “Where’s the log”, “Try this” etc)


#2

make sure ipsec and ike are working, then look for routes, then worry about NAT.

  1. show vpn ike sa
  2. show vpn ipsec sa
  3. show ip route kernel
  4. grep pluto /var/log/messages

#3

Solution found and documented (i.e. I wrote the whole thing up for others who might need it)

http://vyos.net/wiki/NAT_Before_VPN

Basically my specific problem was two-fold:

  • The remote VPN concentrator is not configured for vti so I had to use two tunnels on the IPsec connection
  • I had had the wrong local configuration for the tunnels - this provider is very sensitive to only having the single IP address as the local side of each tunnel.