I’m trying to set up a VPN on VyOS to match the instructions given here for a Cisco ASA.
Near as I can make out that should be satisfied with this config:
interfaces {
vti vti0 {
address 172.29.41.100/32
}
}
nat {
source {
rule 110 {
description "Outbound to Sunrise"
destination {
address 172.27.1.0/24
}
outbound-interface vti0
source {
address INTERNAL_SUBNET
}
translation {
address 172.29.41.100
}
}
rule 120 {
description "Outbound to Sunrise"
destination {
address 10.125.0.0/16
}
outbound-interface vti0
source {
address INTERNAL_SUBNET
}
translation {
address 172.29.41.100
}
}
}
}
vpn {
ipsec {
esp-group ebix-sunrise-esp {
compression disable
lifetime 3600
mode tunnel
pfs disable
proposal 1 {
encryption 3des
hash md5
}
}
ike-group ebix-sunrise-ike {
ikev2-reauth no
key-exchange ikev1
lifetime 7800
proposal 1 {
dh-group 2
encryption 3des
hash md5
}
}
ipsec-interfaces {
interface eth1
}
nat-traversal enable
site-to-site {
peer EBIX_PEER_IP {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
default-esp-group ebix-sunrise-esp
ike-group ebix-sunrise-ike
ikev2-reauth inherit
local-address EXTERNAL_REQD_SOURCE_IP
vti {
bind vti0
}
}
}
}
}
Local subnet is 172.16.0.0/24, and as you can see from the document, access to sites on the other side of the VPN requires that the source be NAT’d to a 172.29 address (172.29.41.100 is the example). On the far side of the VPN are two subnets, 172.27.1.0/24 and 10.125.0.0/16.
Problem is it doesn’t work and I can’t see anything in the logs to describe why. I think I have the NAT correct, but apparently the proposal isn’t being accepted (or sent??)
Suggestions very welcome (e.g. “Where’s the log”, “Try this” etc)