Vpn ipsec site to site behind nat

General questions
,
1

Hi, i should set up a vpn ipsec tunnel between 2 sites, this is the configuration.

A Site: Static public adress on router and NAT

show interfaces
ethernet eth0 {
address 192.168.1.3/24
duplex auto
hw-id 00:0c:29:28:0b:af
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.0.100/24
duplex auto
hw-id 00:0c:29:28:0b:b9
smp_affinity auto
speed auto
}
loopback lo {
}

show vpn
ipsec {
esp-group ESP-1W {
lifetime 1800
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group IKE-1W {
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal enable
site-to-site {
peer 0.0.0.0 {
authentication {
mode pre-shared-secret
pre-shared-secret password
}
default-esp-group ESP-1W
ike-group IKE-1W
local-address 192.168.1.3
tunnel 1 {
local {
prefix 192.168.0.0/24
}
remote {
prefix 192.168.3.0/24
}
}
}
}
}

B Site: Dynamic ip adress on router and NAT (nat of port UDP 500 and UDP 4500 to 192.168.2.2)

show interfaces
ethernet eth0 {
address 192.168.2.2/24
hw-id 00:1f:c6:c1:3a:2a
}
ethernet eth1 {
address 192.168.3.1/24
hw-id 00:0e:e8:f7:e1:5d
}
loopback lo {
}

show vpn
ipsec {
esp-group ESP-1W {
lifetime 1800
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group IKE-1W {
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal enable
site-to-site {
peer ‘PUBLIC IP ADRESS SITE A’ {
authentication {
mode pre-shared-secret
pre-shared-secret password
}
default-esp-group ESP-1W
ike-group IKE-1W
local-address 192.168.2.2
tunnel 1 {
local {
prefix 192.168.3.0/24
}
remote {
prefix 192.168.0.0/24
}
}
}
}
}

it not start to work… could you please help me?

Many Thanks!!

2

Hello
first you should lool at log to see if packets actually reach the routers trough NAT.
$show log vpn ipsec

To establish the SA the VyOs need to identify the peer. Since you are behind NAT, the site B router will present itself as “192.168.2.2” but will connect with it’s public IP address. It doesn’t match so cannot succeed.

You need to use “ids” to identify your routers to each others. Something like :

On site A

site-to-site {
peer @siteB {
authentication {
id @siteA
mode pre-shared-secret
pre-shared-secret password
remote-id @siteB
}
connection-type respond
default-esp-group ESP-1W
ike-group IKE-1W
local-address 192.168.1.3
tunnel 1 {
local {
prefix 192.168.0.0/24
}
remote {
prefix 192.168.3.0/24
}
}
}

and on the site B

site-to-site {
peer {
authentication {
id @siteB
mode pre-shared-secret
pre-shared-secret password
remote-id @siteA
}
connection-type initiate
default-esp-group ESP-1W
ike-group IKE-1W
local-address 192.168.2.2
tunnel 1 {
local {
prefix 192.168.3.0/24
}
remote {
prefix 192.168.0.0/24
}
}
}

(replace “siteA” and “siteB” by whatever seems appropriate)

Note : cannot test this exact setup, you may have to play with the Id settings but that’s the idea.

3

I tried to change something, this is the last result, but still not working.

both router NAT the port udp 500 and 4500 to each eth0
on the routers i pute the dyndns configuration

this is the last configuration:

SITE A:

vyatta@vyatta# show interfaces

ethernet eth0 {
address 192.168.1.3/24
duplex auto
hw-id 00:0c:29:28:0b:af
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.0.100/24
duplex auto
hw-id 00:0c:29:28:0b:b9
smp_affinity auto
speed auto
}
loopback lo {
}

vyatta@vyatta# show nat source
rule 5 {
destination {
address 192.160.3.0/24
}
exclude
outbound-interface eth0
source {
address 192.168.0.0/24
}
}
rule 10 {
outbound-interface eth0
source {
address 192.168.0.0/24
}
translation {
address masquerade
}
}

vyatta@vyatta# show vpn
ipsec {
esp-group ESP-1W {
compression disable
lifetime 1800
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group IKE-1W {
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal enable
site-to-site {
peer hostb.dyndns.biz {
authentication {
id hosta.dyndns.biz
mode pre-shared-secret
pre-shared-secret password
}
connection-type initiate
default-esp-group ESP-1W
ike-group IKE-1W
local-address 192.168.1.3
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 192.168.0.0/24
}
remote {
prefix 192.168.3.0/24
}
}
}
}
}

SITE B:

vyatta@vyatta# show interfaces

ethernet eth0 {
address 192.168.2.2/24
duplex auto
hw-id 00:1f:c6:c1:3a:2a
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.3.1/24
duplex auto
hw-id 00:0e:e8:f7:e1:5d
smp_affinity auto
speed auto
}
loopback lo {
}

vyatta@vyatta# show nat source

rule 5 {
destination {
address 192.168.0.0/24
}
exclude
outbound-interface eth0
source {
address 192.168.3.0/24
}
}
rule 10 {
outbound-interface eth0
source {
address 192.168.3.0/24
}
translation {
address masquerade
}
}

vyatta@vyatta# show vpn

ipsec {
esp-group ESP-1W {
compression disable
lifetime 1800
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group IKE-1W {
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal enable
site-to-site {
peer hosta.dyndns.biz {
authentication {
id hostb.dyndns.biz
mode pre-shared-secret
pre-shared-secret password
}
connection-type initiate
default-esp-group ESP-1W
ike-group IKE-1W
local-address 192.168.2.2
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 192.168.3.0/24
}
remote {
prefix 192.168.0.0/24
}
}
}
}
}

So many thanks for the help!!

4

Hi,

Not sure if this might help, check this link: Andras the Techie: VPN tunnel between Cisco and VyOS behind NAT

Regards
Prashanth

5

Hi,

Check this link, you will get clear picture: Andras the Techie: VPN tunnel between Cisco and VyOS behind NAT

Regards
Prashanth

6

Hi,

Thanks for the reply, that setup actually works. More on this: Andras the Techie: VPN tunnel between Cisco and VyOS behind NAT

Regards
Prashanth

7

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.