good morning,
i am trying to understand (maybe with a basic example) how can i create an ipsec tunnel between two vyos 1.4 routers, with one sitting behind a nat, using psk if possible.
thank you VERY much!
edit:
both sides have static public ip.
edit:
added my config
#STATIC IP SIDE (not NAT-ted)
set vpn ipsec interface 'eth1'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set nat source rule 10 exclude
set nat source rule 10 source address '10.0.0.0/24'
set nat source rule 10 destination address '20.0.0.0/24'
set nat source rule 10 outbound-interface name eth1
set vpn ipsec authentication psk antani id 'psk-id-LEFT'
set vpn ipsec authentication psk antani id 'psk-id-RIGHT'
set vpn ipsec authentication psk antani secret 'tapioca'
set vpn ipsec site-to-site peer OFFICE-B authentication local-id 'psk-id-LEFT'
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id 'psk-id-RIGHT'
set vpn ipsec site-to-site peer OFFICE-B authentication mode pre-shared-secret
set vpn ipsec site-to-site peer OFFICE-B ike-group 'office-srv-ike'
#set vpn ipsec site-to-site peer OFFICE-B local-address '10.154.12.110'
set vpn ipsec site-to-site peer OFFICE-B local-address '192.168.104.112'
set vpn ipsec site-to-site peer OFFICE-B remote-address 'any'
set vpn ipsec site-to-site peer OFFICE-B connection-type respond
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 local prefix '10.0.0.0/24'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '20.0.0.0/24'
#DYNAMIC IP SIDE (NAT-ted)
set vpn ipsec interface 'eth0'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set nat source rule 10 exclude
set nat source rule 10 source address '20.0.0.0/24'
set nat source rule 10 destination address '10.0.0.0/24'
set nat source rule 10 outbound-interface name eth0
set vpn ipsec authentication psk antani id 'psk-id-LEFT'
set vpn ipsec authentication psk antani id 'psk-id-RIGHT'
set vpn ipsec authentication psk antani secret 'tapioca'
set vpn ipsec site-to-site peer OFFICE-A authentication local-id 'psk-id-RIGHT'
set vpn ipsec site-to-site peer OFFICE-A authentication remote-id 'psk-id-LEFT'
set vpn ipsec site-to-site peer OFFICE-A authentication mode pre-shared-secret
set vpn ipsec site-to-site peer OFFICE-A ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer OFFICE-A local-address 'any'
#set vpn ipsec site-to-site peer OFFICE-A remote-address '10.154.12.110'
set vpn ipsec site-to-site peer OFFICE-A remote-address '192.168.104.112'
set vpn ipsec site-to-site peer OFFICE-A connection-type initiate
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 local prefix '20.0.0.0/24'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 remote prefix '10.0.0.0/24'