Unable to run VPN behind NAT


#1

Hi, I have VyOS running on a VM in a private network where the Public IP address is natted to an interface to VyOS where I want to run the vpn. My configuration is as follows,

interfaces { ethernet eth1 { address 10.80.8.104/24 duplex auto hw-id 00:01:a4:ab:2b:5e smp_affinity auto speed auto } loopback lo { } } service { ssh { port 2331 } } system { config-management { commit-revisions 20 } console { device ttyS0 { speed 9600 } } gateway-address 10.80.8.1 host-name vyos login { user vyos { authentication { encrypted-password **************** plaintext-password **************** public-keys xxxxx@gmail.com { key **************** type ssh-rsa } } level admin } } ntp { server 0.pool.ntp.org { } server 1.pool.ntp.org { } server 2.pool.ntp.org { } } package { auto-sync 1 repository community { components main distribution helium password **************** url http://packages.vyos.net/vyos username "" } } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone UTC } vpn { ipsec { ipsec-interfaces { interface eth1 } nat-networks { allowed-network 0.0.0.0/0 { } } nat-traversal enable } l2tp { remote-access { authentication { local-users { username naseer { password **************** } } mode local } client-ip-pool { start 192.168.255.1 stop 192.168.255.255 } ipsec-settings { authentication { mode pre-shared-secret pre-shared-secret **************** } } outside-address 10.80.8.104 } } }

I have even replaced outsite-address with the Public IP address which is Natted from, but that does not help either. When I try to connect the VPN, I get the following message,

VPN-ALL: "remote-access-mac-zzz"[5] 77.30.202.161 #3: responding to Main Mode from unknown peer 77.30.202.161 VPN-ALL: "remote-access-mac-zzz"[5] 77.30.202.161 #3: NAT-Traversal: Result using RFC 3947: both are NATed VPN-ALL: "remote-access-mac-zzz"[5] 77.30.202.161 #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT VPN-ALL: "remote-access-mac-zzz"[5] 77.30.202.161 #3: Peer ID is ID_IPV4_ADDR: '10.0.1.17' VPN-ALL: "remote-access-mac-zzz"[6] 77.30.202.161 #3: deleting connection "remote-access-mac-zzz" instance with peer 77.30.202.161 {isakmp=#0/ipsec=#0} VPN-ALL: "remote-access-mac-zzz"[6] 77.30.202.161:45136 #3: sent MR3, ISAKMP SA established VPN-ALL: "remote-access-mac-zzz"[6] 77.30.202.161:45136 #3: cannot respond to IPsec SA request because no connection is known for 93.189.101.104/32===10.80.8.104:4500[10.80.8.104]:17/1701...77.30.202.161:45136[10.0.1.17]:17/%any===10.0.1.17/32 VPN-ALL: "remote-access-mac-zzz"[6] 77.30.202.161:45136 #3: sending encrypted notification INVALID_ID_INFORMATION to 77.30.202.161:45136 VPN-ALL: "remote-access-mac-zzz"[6] 77.30.202.161:45136 #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x4bd840ca (perhaps this is a duplicated packet)

I am not able to figure out how to run VPN behind the NAT in this situation. Appreciate if I can get some hints or suggestions.

Thanks.