[VPN + NAT] Strange problem

General questions
1

Hi,
I’ve a strange problem on my vyos configuration.

I’ve a an IPsec VPN with a partner
We have agreed off a network for overlap problem.

  • 10.54.0.0/24 is four us
  • 10.54.1.0/24 is for the partner

If my society want to access to the partner, we must access to 10.54.1.0/24 and vice-versa

When we try to access 10.54.1.109 on port 8080, we can see ESP traffic inside vpn tunnel

myuser@myvos# sudo tcpdump -n -i any host 81.255.X.X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

15:57:22.231238 IP 185.150.X.X.500 > 81.255.X.X.500: isakmp: phase 2/others ? inf[E]
15:57:22.247212 IP 81.255.X.X.500 > 185.150.X.X.500: isakmp: phase 2/others ? inf[E]
15:57:23.416373 IP 185.150.X.X > 81.255.X.X: ESP(spi=0x058f0923,seq=0x1), length 100
15:57:24.417143 IP 185.150.X.X > 81.255.X.X: ESP(spi=0x058f0923,seq=0x2), length 100

All tcp/udp/icmp ports work.

However, tcp port 1521 does not seem to enter into the vpn. I can see it enter in the Vyos Router…

myuser@myvyos# sudo tcpdump -n -i any net 10.54.0.0/15
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
16:01:30.829546 IP 10.160.0.16.63563 > 10.54.1.109.1521: Flags [S], seq 2450728715, win 29200, options [mss 1460,sackOK,TS val 1209915494 ecr 0,nop,wscale 7], length 0
16:01:31.830687 IP 10.160.0.16.63563 > 10.54.1.109.1521: Flags [S], seq 2450728715, win 29200, options [mss 1460,sackOK,TS val 1209916496 ecr 0,nop,wscale 7], length 0
16:01:33.834773 IP 10.160.0.16.63563 > 10.54.1.109.1521: Flags [S], seq 2450728715, win 29200, options [mss 1460,sackOK,TS val 1209918500 ecr 0,nop,wscale 7], length 0

But don’t enter in vpn tunnel (no ESP traffic) :

myuser@myvyos# sudo tcpdump -n -i any host 81.255.X.X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
16:04:22.564658 IP 185.150.X.X.500 > 81.255.X.X.500: isakmp: phase 2/others ? inf[E]
16:04:22.581045 IP 81.255.X.X.500 > 185.150.X.X.500: isakmp: phase 2/others ? inf[E]

Here is my tunnel 1 config ;

 allow-nat-networks disable
 allow-public-networks disable
 local {
     prefix 10.54.0.0/24
 }
 protocol all
 remote {
     prefix 10.54.1.0/24
 }
[edit]

I would also like to point out that I have no firewall services in vyos

myuser@myvyos# show firewall
 all-ping enable
 broadcast-ping disable
 config-trap disable
 group {
 }
 ipv6-receive-redirects disable
 ipv6-src-route disable
 ip-src-route disable
 log-martians enable
 receive-redirects disable
 send-redirects enable
 source-validation disable
 state-policy {
     established {
         action accept
     }
     related {
         action accept
     }
 }
 syn-cookies enable
 twa-hazards-protection disable

I don’t see what could specifically block this port.
Do you have any idea

Thanks a lot

2

on your site you only configure 10.54.0.0/24 on your tunnel end but you try to connect with 10.160.0.16.

So you have to allow this net in tunnel config or nat it to a ip in 10.54.0.0/24 net.

3

Hi,
I post the solution here, as I’m working with OP.
Syncer told us the solution to the issue on Slack and I guess we would have never found it b ourself.
Abstract of the issue :

In a IPSEC VPN, when we try to contact a distant server, we can see packets entering the VPN tunnel when we use everything but 1521 port.

the solution provided by syncer was :
set system conntrack modules sqlnet disable

Explication of the issue :

It’s a bug

4

Hi,

NAT is configured

myuser@myvyos:~$ show nat source rules
Disabled rules are not shown
Codes: X - exclude rule, M - masquerade rule

rule intf translation

1 eth3 saddr 10.160.0.14 to 10.54.0.14
proto-all sport ANY
Desc: mydsc

2 eth3 saddr 10.160.0.15 to 10.54.0.15
proto-all sport ANY
Desc: mydsc

3 eth3 saddr 10.160.0.16 to 10.54.0.16
proto-all sport ANY

4 eth3 saddr 10.160.0.17 to 10.54.0.17
proto-all sport ANY
Desc: mydsc

And we can see nat statistics :

myuser@myvyos:~$ show nat source statistics
rule pkts bytes interface

1 0 0 eth3
2 0 0 eth3
3 3840 230K eth3
4 0 0 eth3

5

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.