Site-toSite VPN connect but no trafic

General questions
1

show vpn ike sa and show vpn ipsec sa both show the link is connected but I cant ping and there is no bytes traversing the VPN

Config below

============ ROUTER A ==============================

interfaces {
ethernet eth0 {
address 172.27.35.201/24
description OUTSIDE
}
ethernet eth1 {
address 10.20.1.1/24
description INSIDE
}
loopback lo {
}
}
nat {
source {
rule 1 {
outbound-interface eth0
source {
address 10.20.1.0/24
}
translation {
address masquerade
}
}
rule 5 {
destination {
address 10.20.2.0/24
}
exclude
outbound-interface eth0
source {
address 10.20.1.0/24
}
}
}
}
service {
ssh {
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
gateway-address 172.27.25.1
host-name Router1
login {
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password ****************
url http://packages.vyos.net/vyos
username “”
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
vpn {
ipsec {
esp-group ESP-1W {
lifetime 1800
proposal 1 {
encryption aes256
hash sha1
}
proposal 2 {
encryption 3des
hash sha1
}
}
ike-group IKE-1W {
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
proposal 2 {
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
site-to-site {
peer 172.27.35.202 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
default-esp-group ESP-1W
ike-group IKE-1W
local-address 172.27.35.201
tunnel 1 {
local {
prefix 10.20.1.0/24
}
remote {
prefix 10.20.2.0/24
}
}
}
}
}
}

============ ROUTER B ==============================

interfaces {
ethernet eth0 {
address 172.27.35.202/24
hw-id 00:25:90:7f:b3:ce
}
ethernet eth1 {
address 10.20.2.1/24
hw-id 00:25:90:7f:b3:cf
}
loopback lo {
}
}
nat {
source {
rule 1 {
outbound-interface eth0
source {
address 10.20.2.0/24
}
translation {
address masquerade
}
}
rule 5 {
destination {
address 10.20.1.0/24
}
exclude
outbound-interface eth0
source {
address 10.20.2.0/24
}
}
}
}
service {
ssh {
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
gateway-address 172.27.35.1
host-name Router2
login {
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
repository community {
components main
distribution helium
url http://packages.vyos.net/vyos
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
}
vpn {
ipsec {
esp-group ESP-1W {
lifetime 1800
proposal 1 {
encryption aes256
hash sha1
}
proposal 2 {
encryption 3des
hash sha1
}
}
ike-group IKE-1W {
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
proposal 2 {
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
site-to-site {
peer 172.27.35.201 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
default-esp-group ESP-1W
ike-group IKE-1W
local-address 172.27.35.202
tunnel 1 {
local {
prefix 10.20.2.0/24
}
remote {
prefix 10.20.1.0/24
}
}
}
}
}
}

2

Take a look at your NAT rules. You need to exclude the destination subnet from the source rules. You don’t need a destination NAT (DNAT), just exclude the destination from your source masquerade NAT. NAT rules are processed in order, so you need to exclude before the masquerade.

3

Thank makes sense.

I used:
delete nat source rule 1
and then recreated as rule 10 and it works fine.

thank you very much.