Hi, I have VyOS running on a VM in a private network where the Public IP address is natted to an interface to VyOS where I want to run the vpn. My configuration is as follows,
interfaces {
ethernet eth1 {
address 10.80.8.104/24
duplex auto
hw-id 00:01:a4:ab:2b:5e
smp_affinity auto
speed auto
}
loopback lo {
}
}
service {
ssh {
port 2331
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
gateway-address 10.80.8.1
host-name vyos
login {
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
public-keys xxxxx@gmail.com {
key ****************
type ssh-rsa
}
}
level admin
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password ****************
url http://packages.vyos.net/vyos
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
vpn {
ipsec {
ipsec-interfaces {
interface eth1
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
}
l2tp {
remote-access {
authentication {
local-users {
username naseer {
password ****************
}
}
mode local
}
client-ip-pool {
start 192.168.255.1
stop 192.168.255.255
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
}
outside-address 10.80.8.104
}
}
}
I have even replaced outsite-address with the Public IP address which is Natted from, but that does not help either. When I try to connect the VPN, I get the following message,
VPN-ALL: "remote-access-mac-zzz"[5] 77.30.202.161 #3: responding to Main Mode from unknown peer 77.30.202.161
VPN-ALL: "remote-access-mac-zzz"[5] 77.30.202.161 #3: NAT-Traversal: Result using RFC 3947: both are NATed
VPN-ALL: "remote-access-mac-zzz"[5] 77.30.202.161 #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT
VPN-ALL: "remote-access-mac-zzz"[5] 77.30.202.161 #3: Peer ID is ID_IPV4_ADDR: '10.0.1.17'
VPN-ALL: "remote-access-mac-zzz"[6] 77.30.202.161 #3: deleting connection "remote-access-mac-zzz" instance with peer 77.30.202.161 {isakmp=#0/ipsec=#0}
VPN-ALL: "remote-access-mac-zzz"[6] 77.30.202.161:45136 #3: sent MR3, ISAKMP SA established
VPN-ALL: "remote-access-mac-zzz"[6] 77.30.202.161:45136 #3: cannot respond to IPsec SA request because no connection is known for 93.189.101.104/32===10.80.8.104:4500[10.80.8.104]:17/1701...77.30.202.161:45136[10.0.1.17]:17/%any===10.0.1.17/32
VPN-ALL: "remote-access-mac-zzz"[6] 77.30.202.161:45136 #3: sending encrypted notification INVALID_ID_INFORMATION to 77.30.202.161:45136
VPN-ALL: "remote-access-mac-zzz"[6] 77.30.202.161:45136 #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x4bd840ca (perhaps this is a duplicated packet)
I am not able to figure out how to run VPN behind the NAT in this situation. Appreciate if I can get some hints or suggestions.
Thanks.