Site-to-site IPsec VPN tunnel, cannot connect to any local subnet IP, except for VyOS router

Hi All!

Im having an issue with my Vyos 1.3 site-to-site VPN tunnel.
Tunnel is up and from the VyOS side, I can reach any IP on the remote subnet, but from the remote subnet I can only reach the VyOS LAN IP, but no other IP.
Tcpdump shows no traffic on the internal VyOS interface, even though any IP on the remote subnet can ping it.
Im not sure if I am missing a NAT or firewall rule.
Looking for any advice!
Remote subnets: 10.10.0.0/24 and 10.50.0.0/24
Local (VyOS) subnet: 10.11.0.0/24.
VyOS (eth1) local IP: 10.11.0.1

Firewall config based on the wiki and other information sources:

set firewall all-ping ‘enable’
set firewall broadcast-ping ‘disable’
set firewall config-trap ‘disable’
set firewall ipv6-receive-redirects ‘disable’
set firewall ipv6-src-route ‘disable’
set firewall ip-src-route ‘disable’
set firewall log-martians ‘enable’
set firewall name OUTSIDE-IN default-action ‘drop’
set firewall name OUTSIDE-IN rule 10 action ‘accept’
set firewall name OUTSIDE-IN rule 10 state established ‘enable’
set firewall name OUTSIDE-IN rule 10 state related ‘enable’
set firewall name OUTSIDE-LOCAL default-action ‘drop’
set firewall name OUTSIDE-LOCAL rule 10 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 10 state established ‘enable’
set firewall name OUTSIDE-LOCAL rule 10 state related ‘enable’
set firewall name OUTSIDE-LOCAL rule 20 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 20 icmp type-name ‘echo-request’
set firewall name OUTSIDE-LOCAL rule 20 protocol ‘icmp’
set firewall name OUTSIDE-LOCAL rule 20 state new ‘enable’
set firewall name OUTSIDE-LOCAL rule 30 action ‘drop’
set firewall name OUTSIDE-LOCAL rule 30 destination port ‘22’
set firewall name OUTSIDE-LOCAL rule 30 protocol ‘tcp’
set firewall name OUTSIDE-LOCAL rule 30 recent count ‘4’
set firewall name OUTSIDE-LOCAL rule 31 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 31 destination port ‘22’
set firewall name OUTSIDE-LOCAL rule 31 protocol ‘tcp’
set firewall name OUTSIDE-LOCAL rule 31 state new ‘enable’
set firewall name OUTSIDE-LOCAL rule 32 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 32 source address ‘10.10.0.0/24’
set firewall receive-redirects ‘disable’
set firewall send-redirects ‘enable’
set firewall source-validation ‘disable’
set firewall syn-cookies ‘enable’
set firewall twa-hazards-protection ‘disable’
set interfaces ethernet eth0 firewall in name ‘OUTSIDE-IN’
set interfaces ethernet eth0 firewall local name ‘OUTSIDE-LOCAL’
set interfaces ethernet eth1 firewall local
set nat destination rule 101 description ‘remote network access’
set nat destination rule 101 inbound-interface ‘eth1’
set nat destination rule 101 source address ‘10.10.0.0/24’
set nat destination rule 101 translation address ‘10.11.0.0/24’
set nat source rule 10 destination address ‘10.10.0.0/24’
set nat source rule 10 exclude
set nat source rule 10 outbound-interface ‘eth0’
set nat source rule 10 source address ‘10.11.0.0/24’
set nat source rule 100 outbound-interface ‘eth0’
set nat source rule 100 source address ‘10.11.0.0/24’
set nat source rule 100 translation address ‘masquerade’
set vpn ipsec site-to-site peer X.X.X.X tunnel 0 allow-nat-networks ‘disable’

Please am I missing something?

Is eth1 a LAN network? Is It expected the local addresses 10.11.0.0/24 from the LAN network?
Is it correct that you expected “10.10.0.0/24” remote network from LAN interface?

Yes eth1 is the LAN network interface, and its subnet is 10.11.0.0/24.
eth0 is the VyOS public network interface.
10.10.0.0/24 (and 10.50.0.0/24) are the remote subnets.
Interestingly it worked when I attached these rules to the eth0 interface as ‘in’:

set firewall group network-group remote-net network ‘10.10.0.0/24’
set firewall group network-group remote-net network ‘10.50.0.0/24’
set firewall name FROM-REMOTE rule 1 action ‘accept’
set firewall name FROM-REMOTE rule 1 description ‘Allow established and related connections’
set firewall name FROM-REMOTE rule 1 state established ‘enable’
set firewall name FROM-REMOTE rule 1 state related ‘enable’
set firewall name FROM-REMOTE rule 10 action ‘accept’
set firewall name FROM-REMOTE rule 10 description ‘access from remote networks’
set firewall name FROM-REMOTE rule 10 log ‘enable’
set firewall name FROM-REMOTE rule 10 protocol ‘all’
set firewall name FROM-REMOTE rule 10 source group network-group ‘remote-net’
set interfaces ethernet eth0 firewall in name ‘FROM-REMOTE’

Now I can reach eth1’s network (10.11.0.0/24) from both remote networks at the other side of the VPN, and vice versa.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.