Why is the outbound interface eth0v10 not work, but eth0 does? Are virtual interfaces not valid for NAT? The command line gives you an option to use the eth0v10. Is this correct behavior?
I have a site-to-site VPN setup where I can’t ping from the router on Site A (VyOS) to Site B. I think my ping traffic to 192.168.2.0/24 is getting NAT’d when it shouldn’t be, but based on the rule below it shouldn’t be. Maybe a routing? Basically I have the IPSEC connection setup to a floating IP that moves when VRRP failover happens.
Here is what I’ve tested:
Ping from Site A router → Site B local machine = No
Ping from Site A local machine → Site B local machine = Yes
Ping from Site B local machine → Site A router = Yes
Interfaces:
eth0 -> WAN IP
eth0v10 -> Secondary WAN IP created by VRRP
What source IP address is used when pinging from RouterA to siteB ?
(Look into conntrack session list while pinging)
This should be an IP address which matches ipsec policy.
Updated my default route to my primary WAN IP instead of Secondary (pretty sure this wasn’t the issue). Vultr doesn’t provide a default gateway for the Secondary (floating)
My NAT rules use ETH0, not ETH0V10 created by VRRP (also don’t think this was the cause)
Added Secondary WAN IP to ETH0 (this was the issue)
Changed IPSEC interface to ETH0 from ETH0V10
Basically I was trying to avoid the same IP show up twice in the “show interfaces” command
Eth0 - Show my Primary and Secondary IP
Eth0v10 - Shows my Secondary IP
All in all the following have to line up
Your IP on the WAN needs to have the matching static route Gateway IP
That interface needs to be configured in the IPSEC settings
Instead of adjusting default route, you could also use specific route for
192.168.2.0/24 , pointing to GW used on interface doing ipsec
Same goes for a /32 route for remote ipsec peer