Hi All!
Im having an issue with my Vyos 1.3 site-to-site VPN tunnel.
Tunnel is up and from the VyOS side, I can reach any IP on the remote subnet, but from the remote subnet I can only reach the VyOS LAN IP, but no other IP.
Tcpdump shows no traffic on the internal VyOS interface, even though any IP on the remote subnet can ping it.
Im not sure if I am missing a NAT or firewall rule.
Looking for any advice!
Remote subnets: 10.10.0.0/24 and 10.50.0.0/24
Local (VyOS) subnet: 10.11.0.0/24.
VyOS (eth1) local IP: 10.11.0.1
Firewall config based on the wiki and other information sources:
set firewall all-ping ‘enable’
set firewall broadcast-ping ‘disable’
set firewall config-trap ‘disable’
set firewall ipv6-receive-redirects ‘disable’
set firewall ipv6-src-route ‘disable’
set firewall ip-src-route ‘disable’
set firewall log-martians ‘enable’
set firewall name OUTSIDE-IN default-action ‘drop’
set firewall name OUTSIDE-IN rule 10 action ‘accept’
set firewall name OUTSIDE-IN rule 10 state established ‘enable’
set firewall name OUTSIDE-IN rule 10 state related ‘enable’
set firewall name OUTSIDE-LOCAL default-action ‘drop’
set firewall name OUTSIDE-LOCAL rule 10 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 10 state established ‘enable’
set firewall name OUTSIDE-LOCAL rule 10 state related ‘enable’
set firewall name OUTSIDE-LOCAL rule 20 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 20 icmp type-name ‘echo-request’
set firewall name OUTSIDE-LOCAL rule 20 protocol ‘icmp’
set firewall name OUTSIDE-LOCAL rule 20 state new ‘enable’
set firewall name OUTSIDE-LOCAL rule 30 action ‘drop’
set firewall name OUTSIDE-LOCAL rule 30 destination port ‘22’
set firewall name OUTSIDE-LOCAL rule 30 protocol ‘tcp’
set firewall name OUTSIDE-LOCAL rule 30 recent count ‘4’
set firewall name OUTSIDE-LOCAL rule 31 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 31 destination port ‘22’
set firewall name OUTSIDE-LOCAL rule 31 protocol ‘tcp’
set firewall name OUTSIDE-LOCAL rule 31 state new ‘enable’
set firewall name OUTSIDE-LOCAL rule 32 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 32 source address ‘10.10.0.0/24’
set firewall receive-redirects ‘disable’
set firewall send-redirects ‘enable’
set firewall source-validation ‘disable’
set firewall syn-cookies ‘enable’
set firewall twa-hazards-protection ‘disable’
set interfaces ethernet eth0 firewall in name ‘OUTSIDE-IN’
set interfaces ethernet eth0 firewall local name ‘OUTSIDE-LOCAL’
set interfaces ethernet eth1 firewall local
set nat destination rule 101 description ‘remote network access’
set nat destination rule 101 inbound-interface ‘eth1’
set nat destination rule 101 source address ‘10.10.0.0/24’
set nat destination rule 101 translation address ‘10.11.0.0/24’
set nat source rule 10 destination address ‘10.10.0.0/24’
set nat source rule 10 exclude
set nat source rule 10 outbound-interface ‘eth0’
set nat source rule 10 source address ‘10.11.0.0/24’
set nat source rule 100 outbound-interface ‘eth0’
set nat source rule 100 source address ‘10.11.0.0/24’
set nat source rule 100 translation address ‘masquerade’
set vpn ipsec site-to-site peer X.X.X.X tunnel 0 allow-nat-networks ‘disable’
Please am I missing something?