(vyos 1.4) (vpn) help basic example for ipsec behind nat (maybe using psk)

good morning,
i am trying to understand (maybe with a basic example) how can i create an ipsec tunnel between two vyos 1.4 routers, with one sitting behind a nat, using psk if possible.

thank you VERY much!

edit:
both sides have static public ip.

edit:
added my config

#STATIC IP SIDE (not NAT-ted)

set vpn ipsec interface 'eth1'

set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'

set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'

set nat source rule 10 exclude
set nat source rule 10 source address '10.0.0.0/24'
set nat source rule 10 destination address '20.0.0.0/24'
set nat source rule 10 outbound-interface name eth1

set vpn ipsec authentication psk antani id 'psk-id-LEFT'
set vpn ipsec authentication psk antani id 'psk-id-RIGHT'
set vpn ipsec authentication psk antani secret 'tapioca'

set vpn ipsec site-to-site peer OFFICE-B authentication local-id 'psk-id-LEFT'
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id 'psk-id-RIGHT'
set vpn ipsec site-to-site peer OFFICE-B authentication mode pre-shared-secret
set vpn ipsec site-to-site peer OFFICE-B ike-group 'office-srv-ike'
#set vpn ipsec site-to-site peer OFFICE-B local-address '10.154.12.110'
set vpn ipsec site-to-site peer OFFICE-B local-address '192.168.104.112'
set vpn ipsec site-to-site peer OFFICE-B remote-address 'any'
set vpn ipsec site-to-site peer OFFICE-B connection-type respond
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 local prefix '10.0.0.0/24'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '20.0.0.0/24'
#DYNAMIC IP SIDE (NAT-ted)

set vpn ipsec interface 'eth0'

set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'

set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'

set nat source rule 10 exclude
set nat source rule 10 source address '20.0.0.0/24'
set nat source rule 10 destination address '10.0.0.0/24'
set nat source rule 10 outbound-interface name eth0

set vpn ipsec authentication psk antani id 'psk-id-LEFT'
set vpn ipsec authentication psk antani id 'psk-id-RIGHT'
set vpn ipsec authentication psk antani secret 'tapioca'

set vpn ipsec site-to-site peer OFFICE-A authentication local-id 'psk-id-RIGHT'
set vpn ipsec site-to-site peer OFFICE-A authentication remote-id 'psk-id-LEFT'
set vpn ipsec site-to-site peer OFFICE-A authentication mode pre-shared-secret
set vpn ipsec site-to-site peer OFFICE-A ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer OFFICE-A local-address 'any'
#set vpn ipsec site-to-site peer OFFICE-A remote-address '10.154.12.110'
set vpn ipsec site-to-site peer OFFICE-A remote-address '192.168.104.112'
set vpn ipsec site-to-site peer OFFICE-A connection-type initiate
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 local prefix '20.0.0.0/24'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 remote prefix '10.0.0.0/24'

The only thing that jumps out at me is you don’t have a dh group in your ike proposal. Is it really optional? I always set it explicitly, so I’m not sure what will happen without it. Other than that, your config looks fine to me. I’m still using 1.3, though.

The other thing I like to do is to use a virtual interface (a holdover from my Cisco days long ago). That way, my monitoring software can pick up on the interface status and I get notifications when it changes. Also, you have something to use with a static route for that OpenVPN TUN network on the other side.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.