Hi,
I’ve a strange problem on my vyos configuration.
I’ve a an IPsec VPN with a partner
We have agreed off a network for overlap problem.
- 10.54.0.0/24 is four us
- 10.54.1.0/24 is for the partner
If my society want to access to the partner, we must access to 10.54.1.0/24 and vice-versa
When we try to access 10.54.1.109 on port 8080, we can see ESP traffic inside vpn tunnel
myuser@myvos# sudo tcpdump -n -i any host 81.255.X.X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
15:57:22.231238 IP 185.150.X.X.500 > 81.255.X.X.500: isakmp: phase 2/others ? inf[E]
15:57:22.247212 IP 81.255.X.X.500 > 185.150.X.X.500: isakmp: phase 2/others ? inf[E]
15:57:23.416373 IP 185.150.X.X > 81.255.X.X: ESP(spi=0x058f0923,seq=0x1), length 100
15:57:24.417143 IP 185.150.X.X > 81.255.X.X: ESP(spi=0x058f0923,seq=0x2), length 100
All tcp/udp/icmp ports work.
However, tcp port 1521 does not seem to enter into the vpn. I can see it enter in the Vyos Router…
myuser@myvyos# sudo tcpdump -n -i any net 10.54.0.0/15
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
16:01:30.829546 IP 10.160.0.16.63563 > 10.54.1.109.1521: Flags [S], seq 2450728715, win 29200, options [mss 1460,sackOK,TS val 1209915494 ecr 0,nop,wscale 7], length 0
16:01:31.830687 IP 10.160.0.16.63563 > 10.54.1.109.1521: Flags [S], seq 2450728715, win 29200, options [mss 1460,sackOK,TS val 1209916496 ecr 0,nop,wscale 7], length 0
16:01:33.834773 IP 10.160.0.16.63563 > 10.54.1.109.1521: Flags [S], seq 2450728715, win 29200, options [mss 1460,sackOK,TS val 1209918500 ecr 0,nop,wscale 7], length 0
But don’t enter in vpn tunnel (no ESP traffic) :
myuser@myvyos# sudo tcpdump -n -i any host 81.255.X.X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
16:04:22.564658 IP 185.150.X.X.500 > 81.255.X.X.500: isakmp: phase 2/others ? inf[E]
16:04:22.581045 IP 81.255.X.X.500 > 185.150.X.X.500: isakmp: phase 2/others ? inf[E]
Here is my tunnel 1 config ;
allow-nat-networks disable
allow-public-networks disable
local {
prefix 10.54.0.0/24
}
protocol all
remote {
prefix 10.54.1.0/24
}
[edit]
I would also like to point out that I have no firewall services in vyos
myuser@myvyos# show firewall
all-ping enable
broadcast-ping disable
config-trap disable
group {
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
receive-redirects disable
send-redirects enable
source-validation disable
state-policy {
established {
action accept
}
related {
action accept
}
}
syn-cookies enable
twa-hazards-protection disable
I don’t see what could specifically block this port.
Do you have any idea
Thanks a lot