Hi,
I’m trying to set up a site to site VPN between my servers with a fixed IP and my apartment with a dynamic IP.
I’ve been using the example from the docs: IPsec — VyOS 1.4.x (sagitta) documentation (last one with the dynamic IP on one side)
Using the Troubleshooting steps at the bottom of the Tunnel docs, I am able to confirm 1 and 2, but not 3.
https://docs.vyos.io/en/latest/configuration/interfaces/tunnel.html
In other words, the tunnel is up, and I can ping the 192.168.99.1/2 IP addresses.
I’m certain this is a combination of static routes, NAT and firewall rules, I’m just not able to find the combination of these that sorts my issues.
Any help would be greatly appreciated!
Everything else works as expected. I’ve tried to include all relevant configuration.
Left uses static public ip (written as 1.2.3.4 here, gateway set to 1.2.3.1)
Right uses pppoe connection.
Right is set to initiate, Left to respond.
Config:
LEFT
set firewall interface eth0 in name 'OUTSIDE-IN'
set firewall interface eth0 local name 'OUTSIDE-LOCAL'
set firewall name OUTSIDE-IN default-action 'drop'
set firewall name OUTSIDE-IN enable-default-log
set firewall name OUTSIDE-IN rule 10 action 'accept'
set firewall name OUTSIDE-IN rule 10 state established 'enable'
set firewall name OUTSIDE-IN rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL default-action 'drop'
set firewall name OUTSIDE-LOCAL enable-default-log
set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 40 action 'accept'
set firewall name OUTSIDE-LOCAL rule 40 ipsec match-ipsec
set firewall name OUTSIDE-LOCAL rule 50 action 'accept'
set firewall name OUTSIDE-LOCAL rule 50 protocol 'gre'
set firewall name OUTSIDE-LOCAL rule 60 action 'accept'
set firewall name OUTSIDE-LOCAL rule 60 protocol 'esp'
set interfaces ethernet eth0 address '1.2.3.4/27'
set interfaces ethernet eth0 description 'WAN'
set interfaces loopback lo address '192.168.99.1/32'
set interfaces tunnel tun0 address '10.10.10.1/30'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 remote '192.168.99.2'
set interfaces tunnel tun0 source-address '192.168.99.1'
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '10.100.10.0/24'
set nat source rule 100 translation address 'masquerade'
set protocols static route 0.0.0.0/0 next-hop 1.2.3.1
set protocols static route 10.1.0.0/16 interface tun0
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256gcm128'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256gcm128'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer RIGHT authentication local-id 'LEFT'
set vpn ipsec site-to-site peer RIGHT authentication mode 'rsa'
set vpn ipsec site-to-site peer RIGHT authentication remote-id 'RIGHT'
set vpn ipsec site-to-site peer RIGHT authentication rsa local-key 'ipsec-LEFT'
set vpn ipsec site-to-site peer RIGHT authentication rsa remote-key 'ipsec-RIGHT'
set vpn ipsec site-to-site peer RIGHT connection-type 'respond'
set vpn ipsec site-to-site peer RIGHT default-esp-group 'MyESPGroup'
set vpn ipsec site-to-site peer RIGHT ike-group 'MyIKEGroup'
set vpn ipsec site-to-site peer RIGHT local-address '1.2.3.4'
set vpn ipsec site-to-site peer RIGHT tunnel 1 local prefix '192.168.99.1/32'
set vpn ipsec site-to-site peer RIGHT tunnel 1 remote prefix '192.168.99.2/32'
RIGHT
Firewall zones
set firewall name WAN-LOCAL default-action 'drop'
set firewall name WAN-LOCAL rule 10 action 'accept'
set firewall name WAN-LOCAL rule 10 description 'Allow EST/Related Traffic'
set firewall name WAN-LOCAL rule 10 state established 'enable'
set firewall name WAN-LOCAL rule 10 state related 'enable'
set firewall name WAN-LOCAL rule 20 action 'accept'
set firewall name WAN-LOCAL rule 20 protocol 'icmp'
set firewall name WAN-LOCAL rule 20 state new 'enable'
set firewall name WAN-LOCAL rule 40 action 'accept'
set firewall name WAN-LOCAL rule 40 ipsec match-ipsec
set firewall name WAN-LOCAL rule 50 action 'accept'
set firewall name WAN-LOCAL rule 50 protocol 'gre'
set firewall name WAN-LOCAL rule 60 action 'accept'
set firewall name WAN-LOCAL rule 60 protocol 'esp'
set firewall zone LOCAL default-action 'drop'
set firewall zone LOCAL from WAN firewall name 'WAN-LOCAL'
set firewall zone LOCAL local-zone
set interfaces pppoe pppoe0 authentication password 'password'
set interfaces pppoe pppoe0 authentication user 'user'
set interfaces pppoe pppoe0 description 'WAN connection'
set interfaces pppoe pppoe0 ip adjust-mss '1452'
set interfaces pppoe pppoe0 mtu '1492'
set interfaces pppoe pppoe0 no-peer-dns
set interfaces pppoe pppoe0 source-interface 'eth0'
set interfaces loopback lo address '192.168.99.2/32'
set interfaces tunnel tun0 address '10.10.10.2/30'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 remote '192.168.99.1'
set interfaces tunnel tun0 source-address '192.168.99.2'
set nat source rule 100 outbound-interface 'pppoe0'
set nat source rule 100 source address '10.1.0.0/16'
set nat source rule 100 translation address 'masquerade'
set protocols static route 10.2.0.0/24 interface tun0
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256gcm128'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256gcm128'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
set vpn ipsec interface 'pppoe0'
set vpn ipsec site-to-site peer LEFT authentication local-id 'RIGHT'
set vpn ipsec site-to-site peer LEFT authentication mode 'rsa'
set vpn ipsec site-to-site peer LEFT authentication remote-id 'LEFT'
set vpn ipsec site-to-site peer LEFT authentication rsa local-key 'ipsec-RIGHT'
set vpn ipsec site-to-site peer LEFT authentication rsa remote-key 'ipsec-LEFT'
set vpn ipsec site-to-site peer LEFT connection-type 'initiate'
set vpn ipsec site-to-site peer LEFT default-esp-group 'MyESPGroup'
set vpn ipsec site-to-site peer LEFT ike-group 'MyIKEGroup'
set vpn ipsec site-to-site peer LEFT local-address 'any'
set vpn ipsec site-to-site peer LEFT remote-address '1.2.3.4'
set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix '192.168.99.2/32'
set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix '192.168.99.1/32'