Site to Site GRE issues

General questions
, ,
1

Hi,

I’m trying to set up a site to site VPN between my servers with a fixed IP and my apartment with a dynamic IP.

I’ve been using the example from the docs: IPsec — VyOS 1.4.x (sagitta) documentation (last one with the dynamic IP on one side)

Using the Troubleshooting steps at the bottom of the Tunnel docs, I am able to confirm 1 and 2, but not 3.
https://docs.vyos.io/en/latest/configuration/interfaces/tunnel.html

In other words, the tunnel is up, and I can ping the 192.168.99.1/2 IP addresses.

I’m certain this is a combination of static routes, NAT and firewall rules, I’m just not able to find the combination of these that sorts my issues.

Any help would be greatly appreciated!

Everything else works as expected. I’ve tried to include all relevant configuration.

Left uses static public ip (written as 1.2.3.4 here, gateway set to 1.2.3.1)
Right uses pppoe connection.

Right is set to initiate, Left to respond.

Config:

LEFT


set firewall interface eth0 in name 'OUTSIDE-IN'
set firewall interface eth0 local name 'OUTSIDE-LOCAL'
set firewall name OUTSIDE-IN default-action 'drop'
set firewall name OUTSIDE-IN enable-default-log
set firewall name OUTSIDE-IN rule 10 action 'accept'
set firewall name OUTSIDE-IN rule 10 state established 'enable'
set firewall name OUTSIDE-IN rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL default-action 'drop'
set firewall name OUTSIDE-LOCAL enable-default-log
set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 40 action 'accept'
set firewall name OUTSIDE-LOCAL rule 40 ipsec match-ipsec
set firewall name OUTSIDE-LOCAL rule 50 action 'accept'
set firewall name OUTSIDE-LOCAL rule 50 protocol 'gre'
set firewall name OUTSIDE-LOCAL rule 60 action 'accept'
set firewall name OUTSIDE-LOCAL rule 60 protocol 'esp'

set interfaces ethernet eth0 address '1.2.3.4/27'
set interfaces ethernet eth0 description 'WAN'

set interfaces loopback lo address '192.168.99.1/32'

set interfaces tunnel tun0 address '10.10.10.1/30'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 remote '192.168.99.2'
set interfaces tunnel tun0 source-address '192.168.99.1'


set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '10.100.10.0/24'
set nat source rule 100 translation address 'masquerade'



set protocols static route 0.0.0.0/0 next-hop 1.2.3.1
set protocols static route 10.1.0.0/16 interface tun0


set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256gcm128'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256gcm128'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer RIGHT authentication local-id 'LEFT'
set vpn ipsec site-to-site peer RIGHT authentication mode 'rsa'
set vpn ipsec site-to-site peer RIGHT authentication remote-id 'RIGHT'
set vpn ipsec site-to-site peer RIGHT authentication rsa local-key 'ipsec-LEFT'
set vpn ipsec site-to-site peer RIGHT authentication rsa remote-key 'ipsec-RIGHT'
set vpn ipsec site-to-site peer RIGHT connection-type 'respond'
set vpn ipsec site-to-site peer RIGHT default-esp-group 'MyESPGroup'
set vpn ipsec site-to-site peer RIGHT ike-group 'MyIKEGroup'
set vpn ipsec site-to-site peer RIGHT local-address '1.2.3.4'
set vpn ipsec site-to-site peer RIGHT tunnel 1 local prefix '192.168.99.1/32'
set vpn ipsec site-to-site peer RIGHT tunnel 1 remote prefix '192.168.99.2/32'

RIGHT


Firewall zones
set firewall name WAN-LOCAL default-action 'drop'
set firewall name WAN-LOCAL rule 10 action 'accept'
set firewall name WAN-LOCAL rule 10 description 'Allow EST/Related Traffic'
set firewall name WAN-LOCAL rule 10 state established 'enable'
set firewall name WAN-LOCAL rule 10 state related 'enable'
set firewall name WAN-LOCAL rule 20 action 'accept'
set firewall name WAN-LOCAL rule 20 protocol 'icmp'
set firewall name WAN-LOCAL rule 20 state new 'enable'
set firewall name WAN-LOCAL rule 40 action 'accept'
set firewall name WAN-LOCAL rule 40 ipsec match-ipsec
set firewall name WAN-LOCAL rule 50 action 'accept'
set firewall name WAN-LOCAL rule 50 protocol 'gre'
set firewall name WAN-LOCAL rule 60 action 'accept'
set firewall name WAN-LOCAL rule 60 protocol 'esp'

set firewall zone LOCAL default-action 'drop'
set firewall zone LOCAL from WAN firewall name 'WAN-LOCAL'
set firewall zone LOCAL local-zone


set interfaces pppoe pppoe0 authentication password 'password'
set interfaces pppoe pppoe0 authentication user 'user'
set interfaces pppoe pppoe0 description 'WAN connection'
set interfaces pppoe pppoe0 ip adjust-mss '1452'
set interfaces pppoe pppoe0 mtu '1492'
set interfaces pppoe pppoe0 no-peer-dns
set interfaces pppoe pppoe0 source-interface 'eth0'

set interfaces loopback lo address '192.168.99.2/32'

set interfaces tunnel tun0 address '10.10.10.2/30'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 remote '192.168.99.1'
set interfaces tunnel tun0 source-address '192.168.99.2'


set nat source rule 100 outbound-interface 'pppoe0'
set nat source rule 100 source address '10.1.0.0/16'
set nat source rule 100 translation address 'masquerade'

set protocols static route 10.2.0.0/24 interface tun0

set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256gcm128'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256gcm128'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
set vpn ipsec interface 'pppoe0'
set vpn ipsec site-to-site peer LEFT authentication local-id 'RIGHT'
set vpn ipsec site-to-site peer LEFT authentication mode 'rsa'
set vpn ipsec site-to-site peer LEFT authentication remote-id 'LEFT'
set vpn ipsec site-to-site peer LEFT authentication rsa local-key 'ipsec-RIGHT'
set vpn ipsec site-to-site peer LEFT authentication rsa remote-key 'ipsec-LEFT'
set vpn ipsec site-to-site peer LEFT connection-type 'initiate'
set vpn ipsec site-to-site peer LEFT default-esp-group 'MyESPGroup'
set vpn ipsec site-to-site peer LEFT ike-group 'MyIKEGroup'
set vpn ipsec site-to-site peer LEFT local-address 'any'
set vpn ipsec site-to-site peer LEFT remote-address '1.2.3.4'
set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix '192.168.99.2/32'
set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix '192.168.99.1/32'
2

From shared config and guide used, I do not see vpn config such as:

set vpn ipsec site-to-site peer right tunnel 1 protocol gre

I would recommend one step at a time:

  • Leave NAT config, I guess it’s needed for internet connection from your LANs.
  • Remove firewall (apply it later once connectivity problem is solved)
  • VPN site to site connectivity. Check ike and ipsec status to ensure vpn tunnel is up
3

Thank you for getting back to me so quickly!

I think that is handled in the GRE tunnel configuration with:

set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 address 10.10.10.1/30
set interfaces tunnel tun0 source-address 192.168.99.1
set interfaces tunnel tun0 remote 192.168.99.2

Am I misunderstanding this? It’s not covered in the second config with the dynamic IP example, so I pretty much assumed it was not required in the site-to-site configuration.

I can also confirm that the IKE/IPsec are both up.

Connection          State    Type     Remote address    Local TS         Remote TS        Local id    Remote id    Proposal
------------------  -------  -------  ----------------  ---------------  ---------------  ----------  -----------  --------------------------
LEFT           up       IKEv1/2  1.2.3.4     -                -                RIGHT      LEFT    AES_GCM/256/None/MODP_1024
LEFT-tunnel-1  up       IPsec    1.2.3.4     192.168.99.2/32  192.168.99.1/32  RIGHT      LEFT    AES_GCM/256/None/None

Connection          State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------------  -------  --------  --------------  ----------------  ----------------  -----------  --------------
LEFT-tunnel-1  up       6m14s     0B/0B           0/0               1.2.3.4     LEFT    AES_GCM_16_256

Security Associations (1 up, 0 connecting):
   LEFT[3]: ESTABLISHED 7 minutes ago, x.x.x.x[RIGHT]...1.2.3.4[LEFT]
LEFT-tunnel-1{5}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cf0aa4d5_i caa2bc71_o
LEFT-tunnel-1{5}:   192.168.99.2/32[gre] === 192.168.99.1/32[gre]

tun0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1000
    link/gre 192.168.99.2 peer 192.168.99.1
    inet 10.10.10.2/30 brd 10.10.10.3 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 z::y:z:a:b/64 scope link 
       valid_lft forever preferred_lft forever

    RX:  bytes  packets  errors  dropped  overrun       mcast
          2880       48       0        0        0           0
    TX:  bytes  packets  errors  dropped  carrier  collisions
             0        0       0        0        0           0
4

Make sure traffic sourced from lo0 addresses isn’t masqueraded. Which seems OK
You don’t need to alter ipsec policy to only accept GRE. If you did, ping between 192.168.99.1/32 and 192.168.99.2/32 would no longer work
To get a clue where traffic ends up, use tcpdump to follow the traffic