VPN IPsec betwen two NATed peers


#1

Dear All,

I’ve been using Vyatta and from the beginning VyOS to connect remote sites through VPN. Till now I’ve used OpenVPN without a problem but performance has been poor.

As I’m not really an expert of VyOS and mainly IPsec, I’ve been depending in other persons contributions, but it isn’t common to see this kind of scenario in IPsec how to’s.

A few months ago I’ve found Daniil Baturin’s blog post “How to setup an IPsec connection between two NATed peers: using id’s and RSA keys” at http://blog.vyos.net/how-to-setup-an-ipsec-connection-between-two-nated-peers-using-ids-and-rsa-keys, and I decided to try it out in a non productive test VMs.

I’ve searched for the missing parts of the required ipsec entries, tested it with success, test the bandwidth and while it wasn’t stable, it performed quite better than OpenVPN (and believe that through all this years I’ve tweaked it a lot).

I believed I had found almost a “holy grail”, so I rushed to put it in production connecting two sites.

I’ve updated the VyOS VMs, deleted the old configuration, added the new one and voila, the tunnel just worked.

But then the trouble and the reason for requesting your expertise help.

Behind these two nodes I’ve several subnets that I must route between, and while in OpenVPN it just neede some static routes, I’ve found the hard way that the way I setup this VPN it wasn’t going to work.

What I’ve understood, not sure if rigth, was that I needed to add another tunnel for each subnet I needed to route, but if my assumptions are right, this can be quite scary.

Resuming in 4 questions:

  1. Adding tunnels for each subnet to route is the only way with this setup?
  2. In my tests I’ve found that after restarting the West side of the tunnel it didn’t came up, I had to restart the East side router. Is this normal? Is there something one can do to monitor the tunnel and restart it?
  3. I’ve read allot but couldn’t test with success: would a setup with a VTI interface work with the two routers behind NAT? (I believe this would be similar with OpenVPN setup).
  4. OSPF: it seems to fit here, not sure where and how, I still couldn’t figure out how it works and where it would be a must (I don’t like to copy things I cannot understand). Any tips?

Maybe I’ll get lucky and some of you look at this post and spend some of your precious time writing some words.

Best regards,

Duke