Source NAT SCTP does not work? Vyos 1.1.8

maurof · May 15, 2018, 3:22pm

Hello , currently we are facing this situation:

show version
Version: VyOS 1.1.8
Description: VyOS 1.1.8 (helium)
Copyright: 2017 VyOS maintainers and contributors
Built by: maintainers@vyos.net
Built on: Sat Nov 11 13:44:36 UTC 2017
Build ID: 1711111344-b483efc
System type: x86 64-bit
Boot via: image
HW model: PowerEdge R420
HW S/N: 1F4SG5J
HW UUID: 44454C4C-4600-1034-8053-B1C04F47354A
Uptime: 17:08:47 up 3:41, 3 users, load average: 0.03, 0.02, 0.05

##################################################################### Problem
VPN IPSEC site to site with VTI/ Route Based + NAT

ICMP /TCP protocols are correctly natted before entering the tunnel
SCTP results NEVER NATTED

####################################################################################

########################### Configuration

NAT RULE:

show nat source rule 16

destination {
address 10.34.126.64/28
}
outbound-interface vti10
protocol all
source {
address 172.31.100.10
}
translation {
address 10.116.252.193
}

################################################### Trace

MONITOR TRAFFIC ON VTI10 SHOWS THE BUG ( Icmp OK, SCTP KO…):

monitor interfaces vti vti10 traffic

1.762104 172.31.100.10 → 10.34.126.78 SCTP INIT
12.162428 172.31.100.10 → 10.34.126.78 SCTP INIT
12.562712 172.31.100.10 → 10.34.126.78 SCTP INIT
12.645062 10.116.252.193 → 10.34.126.78 ICMP Echo (ping) request
12.698702 10.34.126.78 → 10.116.252.193 ICMP Echo (ping) reply
13.033667 172.31.100.10 → 10.34.126.78 SCTP INIT
13.233913 172.31.100.10 → 10.34.126.78 SCTP INIT
13.634246 172.31.100.10 → 10.34.126.78 SCTP INIT
13.644020 10.116.252.193 → 10.34.126.78 ICMP Echo (ping) request
13.697643 10.34.126.78 → 10.116.252.193 ICMP Echo (ping) reply
14.034454 172.31.100.10 → 10.34.126.78 SCTP INIT
14.434782 172.31.100.10 → 10.34.126.78 SCTP INIT
14.644089 10.116.252.193 → 10.34.126.78 ICMP Echo (ping) request
14.697447 10.34.126.78 → 10.116.252.193 ICMP Echo (ping) reply
14.834973 172.31.100.10 → 10.34.126.78 SCTP INIT

deleted/recreated NAT Rule → doesn’ t work
delete/recreated NAT Rule with “protocol sctp” → doesn’ t work

Is anyone facing the same issue?

thanks

maurof · May 16, 2018, 5:12pm

Could it be that some Linux module (SCTP) is not installed?

Might be that someone is facing the same issue with different protocol than SCTP ??.