system
December 30, 2014, 3:08pm
1
Hi, i should set up a vpn ipsec tunnel between 2 sites, this is the configuration.
A Site: Static public adress on router and NAT
show interfaces
ethernet eth0 {
address 192.168.1.3/24
duplex auto
hw-id 00:0c:29:28:0b:af
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.0.100/24
duplex auto
hw-id 00:0c:29:28:0b:b9
smp_affinity auto
speed auto
}
loopback lo {
}
show vpn
ipsec {
esp-group ESP-1W {
lifetime 1800
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group IKE-1W {
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal enable
site-to-site {
peer 0.0.0.0 {
authentication {
mode pre-shared-secret
pre-shared-secret password
}
default-esp-group ESP-1W
ike-group IKE-1W
local-address 192.168.1.3
tunnel 1 {
local {
prefix 192.168.0.0/24
}
remote {
prefix 192.168.3.0/24
}
}
}
}
}
B Site: Dynamic ip adress on router and NAT (nat of port UDP 500 and UDP 4500 to 192.168.2.2)
show interfaces
ethernet eth0 {
address 192.168.2.2/24
hw-id 00:1f:c6:c1:3a:2a
}
ethernet eth1 {
address 192.168.3.1/24
hw-id 00:0e:e8:f7:e1:5d
}
loopback lo {
}
show vpn
ipsec {
esp-group ESP-1W {
lifetime 1800
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group IKE-1W {
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal enable
site-to-site {
peer ‘PUBLIC IP ADRESS SITE A’ {
authentication {
mode pre-shared-secret
pre-shared-secret password
}
default-esp-group ESP-1W
ike-group IKE-1W
local-address 192.168.2.2
tunnel 1 {
local {
prefix 192.168.3.0/24
}
remote {
prefix 192.168.0.0/24
}
}
}
}
}
it not start to work… could you please help me?
Many Thanks!!
JFL
December 31, 2014, 10:47am
2
Hello
first you should lool at log to see if packets actually reach the routers trough NAT.
$show log vpn ipsec
To establish the SA the VyOs need to identify the peer. Since you are behind NAT, the site B router will present itself as “192.168.2.2” but will connect with it’s public IP address. It doesn’t match so cannot succeed.
You need to use “ids” to identify your routers to each others. Something like :
On site A
site-to-site {
peer @siteB {
authentication {
id @siteA
mode pre-shared-secret
pre-shared-secret password
remote-id @siteB
}
connection-type respond
default-esp-group ESP-1W
ike-group IKE-1W
local-address 192.168.1.3
tunnel 1 {
local {
prefix 192.168.0.0/24
}
remote {
prefix 192.168.3.0/24
}
}
}
and on the site B
site-to-site {
peer {
authentication {
id @siteB
mode pre-shared-secret
pre-shared-secret password
remote-id @siteA
}
connection-type initiate
default-esp-group ESP-1W
ike-group IKE-1W
local-address 192.168.2.2
tunnel 1 {
local {
prefix 192.168.3.0/24
}
remote {
prefix 192.168.0.0/24
}
}
}
(replace “siteA” and “siteB” by whatever seems appropriate)
Note : cannot test this exact setup, you may have to play with the Id settings but that’s the idea.
system
January 3, 2015, 2:34pm
3
I tried to change something, this is the last result, but still not working.
both router NAT the port udp 500 and 4500 to each eth0
on the routers i pute the dyndns configuration
this is the last configuration:
SITE A:
vyatta@vyatta# show interfaces
ethernet eth0 {
address 192.168.1.3/24
duplex auto
hw-id 00:0c:29:28:0b:af
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.0.100/24
duplex auto
hw-id 00:0c:29:28:0b:b9
smp_affinity auto
speed auto
}
loopback lo {
}
vyatta@vyatta# show nat source
rule 5 {
destination {
address 192.160.3.0/24
}
exclude
outbound-interface eth0
source {
address 192.168.0.0/24
}
}
rule 10 {
outbound-interface eth0
source {
address 192.168.0.0/24
}
translation {
address masquerade
}
}
vyatta@vyatta# show vpn
ipsec {
esp-group ESP-1W {
compression disable
lifetime 1800
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group IKE-1W {
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal enable
site-to-site {
peer hostb.dyndns.biz {
authentication {
id hosta.dyndns.biz
mode pre-shared-secret
pre-shared-secret password
}
connection-type initiate
default-esp-group ESP-1W
ike-group IKE-1W
local-address 192.168.1.3
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 192.168.0.0/24
}
remote {
prefix 192.168.3.0/24
}
}
}
}
}
SITE B:
vyatta@vyatta# show interfaces
ethernet eth0 {
address 192.168.2.2/24
duplex auto
hw-id 00:1f:c6:c1:3a:2a
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.3.1/24
duplex auto
hw-id 00:0e:e8:f7:e1:5d
smp_affinity auto
speed auto
}
loopback lo {
}
vyatta@vyatta# show nat source
rule 5 {
destination {
address 192.168.0.0/24
}
exclude
outbound-interface eth0
source {
address 192.168.3.0/24
}
}
rule 10 {
outbound-interface eth0
source {
address 192.168.3.0/24
}
translation {
address masquerade
}
}
vyatta@vyatta# show vpn
ipsec {
esp-group ESP-1W {
compression disable
lifetime 1800
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group IKE-1W {
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal enable
site-to-site {
peer hosta.dyndns.biz {
authentication {
id hostb.dyndns.biz
mode pre-shared-secret
pre-shared-secret password
}
connection-type initiate
default-esp-group ESP-1W
ike-group IKE-1W
local-address 192.168.2.2
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 192.168.3.0/24
}
remote {
prefix 192.168.0.0/24
}
}
}
}
}
So many thanks for the help!!
Hi, i should set up a vpn ipsec tunnel between 2 sites, this is the configuration.
A Site: Static public adress on router and NAT
show interfaces
ethernet eth0 {
address 192.168.1.3/24
duplex auto
hw-id 00:0c:29:28:0b:af
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.0.100/24
duplex auto
hw-id 00:0c:29:28:0b:b9
smp_affinity auto
speed auto
}
loopback lo {
}
show vpn
ipsec {
esp-group ESP-1W {
lifetime 1800
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group IKE-1W {
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal enable
site-to-site {
peer 0.0.0.0 {
authentication {
mode pre-shared-secret
pre-shared-secret password
}
default-esp-group ESP-1W
ike-group IKE-1W
local-address 192.168.1.3
tunnel 1 {
local {
prefix 192.168.0.0/24
}
remote {
prefix 192.168.3.0/24
}
}
}
}
}
B Site: Dynamic ip adress on router and NAT (nat of port UDP 500 and UDP 4500 to 192.168.2.2)
show interfaces
ethernet eth0 {
address 192.168.2.2/24
hw-id 00:1f:c6:c1:3a:2a
}
ethernet eth1 {
address 192.168.3.1/24
hw-id 00:0e:e8:f7:e1:5d
}
loopback lo {
}
show vpn
ipsec {
esp-group ESP-1W {
lifetime 1800
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group IKE-1W {
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal enable
site-to-site {
peer ‘PUBLIC IP ADRESS SITE A’ {
authentication {
mode pre-shared-secret
pre-shared-secret password
}
default-esp-group ESP-1W
ike-group IKE-1W
local-address 192.168.2.2
tunnel 1 {
local {
prefix 192.168.3.0/24
}
remote {
prefix 192.168.0.0/24
}
}
}
}
}
it not start to work… could you please help me?
Many Thanks!!
Hi,
Not sure if this might help, check this link: Andras the Techie: VPN tunnel between Cisco and VyOS behind NAT
Regards
Prashanth
Hi, i should set up a vpn ipsec tunnel between 2 sites, this is the configuration.
A Site: Static public adress on router and NAT
show interfaces
ethernet eth0 {
address 192.168.1.3/24
duplex auto
hw-id 00:0c:29:28:0b:af
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.0.100/24
duplex auto
hw-id 00:0c:29:28:0b:b9
smp_affinity auto
speed auto
}
loopback lo {
}
show vpn
ipsec {
esp-group ESP-1W {
lifetime 1800
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group IKE-1W {
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal enable
site-to-site {
peer 0.0.0.0 {
authentication {
mode pre-shared-secret
pre-shared-secret password
}
default-esp-group ESP-1W
ike-group IKE-1W
local-address 192.168.1.3
tunnel 1 {
local {
prefix 192.168.0.0/24
}
remote {
prefix 192.168.3.0/24
}
}
}
}
}
B Site: Dynamic ip adress on router and NAT (nat of port UDP 500 and UDP 4500 to 192.168.2.2)
show interfaces
ethernet eth0 {
address 192.168.2.2/24
hw-id 00:1f:c6:c1:3a:2a
}
ethernet eth1 {
address 192.168.3.1/24
hw-id 00:0e:e8:f7:e1:5d
}
loopback lo {
}
show vpn
ipsec {
esp-group ESP-1W {
lifetime 1800
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group IKE-1W {
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal enable
site-to-site {
peer ‘PUBLIC IP ADRESS SITE A’ {
authentication {
mode pre-shared-secret
pre-shared-secret password
}
default-esp-group ESP-1W
ike-group IKE-1W
local-address 192.168.2.2
tunnel 1 {
local {
prefix 192.168.3.0/24
}
remote {
prefix 192.168.0.0/24
}
}
}
}
}
it not start to work… could you please help me?
Many Thanks!!
Hi,
Check this link, you will get clear picture: Andras the Techie: VPN tunnel between Cisco and VyOS behind NAT
Regards
Prashanth
JFL:
Hello
first you should lool at log to see if packets actually reach the routers trough NAT.
$show log vpn ipsec
To establish the SA the VyOs need to identify the peer. Since you are behind NAT, the site B router will present itself as “192.168.2.2” but will connect with it’s public IP address. It doesn’t match so cannot succeed.
You need to use “ids” to identify your routers to each others. Something like :
On site A
site-to-site {
peer @siteB {
authentication {
id @siteA
mode pre-shared-secret
pre-shared-secret password
remote-id @siteB
}
connection-type respond
default-esp-group ESP-1W
ike-group IKE-1W
local-address 192.168.1.3
tunnel 1 {
local {
prefix 192.168.0.0/24
}
remote {
prefix 192.168.3.0/24
}
}
}
and on the site B
site-to-site {
peer {
authentication {
id @siteB
mode pre-shared-secret
pre-shared-secret password
remote-id @siteA
}
connection-type initiate
default-esp-group ESP-1W
ike-group IKE-1W
local-address 192.168.2.2
tunnel 1 {
local {
prefix 192.168.3.0/24
}
remote {
prefix 192.168.0.0/24
}
}
}
(replace “siteA” and “siteB” by whatever seems appropriate)
Note : cannot test this exact setup, you may have to play with the Id settings but that’s the idea.
Hi,
Thanks for the reply, that setup actually works. More on this: Andras the Techie: VPN tunnel between Cisco and VyOS behind NAT
Regards
Prashanth
system
Closed
July 8, 2018, 12:25am
7
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.