Vyos IPSEC VPN client cant access network beyond vyos server

HMJares · December 12, 2019, 5:37pm

I have configured a VMware esxi VM to run vyos to act as IPsec VPN access point.
When I connnect from windows client, client conenciton happens fine. Unfortunately, my windows laptop can’t access network resources beyond the router.
Here is my config (some info obscured):
vyos@vyos:~$ show version
Version: VyOS 1.2-rolling-201912100217
Built by: autobuild@vyos.net
Built on: Tue 10 Dec 2019 02:17 UTC
Build UUID: a6cb35a9-54fd-49de-81f8-d5785eb28573
Build Commit ID: 7b47b452ce86a9

Architecture: x86_64
Boot via: installed image
System type: VMware guest

Hardware vendor: VMware, Inc.
Hardware model: VMware Virtual Platform
Hardware S/N: VMware-42 05 2c e9 39 69 47 f1-f4 2d 6e 4d 6b df 53 97
Hardware UUID: e92c0542-6939-f147-f42d-6e4d6bdf5397

Copyright: VyOS maintainers and contributors
vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description

eth0 xyz.7.235.151/23 u/u OUTSIDE
eth1 172.21.62.230/22 u/u INSIDE
lo 127.0.0.1/8 u/u
::1/128
vyos@vyos:~$ show configuration commands
set firewall all-ping ‘enable’
set firewall broadcast-ping ‘disable’
set firewall config-trap ‘disable’
set firewall ipv6-receive-redirects ‘disable’
set firewall ipv6-src-route ‘disable’
set firewall ip-src-route ‘disable’
set firewall log-martians ‘enable’
set firewall name OUTSIDE-LOCAL default-action ‘drop’
set firewall name OUTSIDE-LOCAL rule 40 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 40 protocol ‘esp’
set firewall name OUTSIDE-LOCAL rule 41 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 41 destination port ‘500’
set firewall name OUTSIDE-LOCAL rule 41 protocol ‘udp’
set firewall name OUTSIDE-LOCAL rule 42 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 42 destination port ‘4500’
set firewall name OUTSIDE-LOCAL rule 42 protocol ‘udp’
set firewall name OUTSIDE-LOCAL rule 43 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 43 destination port ‘1701’
set firewall name OUTSIDE-LOCAL rule 43 ipsec match-ipsec
set firewall name OUTSIDE-LOCAL rule 43 protocol ‘udp’
set firewall receive-redirects ‘disable’
set firewall send-redirects ‘enable’
set firewall source-validation ‘disable’
set firewall syn-cookies ‘enable’
set firewall twa-hazards-protection ‘disable’
set interfaces ethernet eth0 address ‘xyz.7.235.151/23’
set interfaces ethernet eth0 description ‘OUTSIDE’
set interfaces ethernet eth0 hw-id ‘00:50:56:85:ca:a7’
set interfaces ethernet eth0 ip enable-proxy-arp
set interfaces ethernet eth1 address ‘172.21.62.230/22’
set interfaces ethernet eth1 description ‘INSIDE’
set interfaces ethernet eth1 hw-id ‘00:50:56:85:9e:6e’
set interfaces ethernet eth1 ip enable-proxy-arp
set interfaces loopback lo
set nat source rule 110 outbound-interface ‘eth0’
set nat source rule 110 source address ‘172.21.60.0/22’
set nat source rule 110 translation address ‘masquerade’
set protocols static route 0.0.0.0/0 next-hop xyz.7.235.254
set service dns forwarding allow-from ‘172.21.60.0/22’
set service dns forwarding cache-size ‘0’
set service dns forwarding listen-address ‘172.21.62.230’
set service dns forwarding name-server ‘172.21.13.167’
set service dns forwarding name-server ‘172.21.49.3’
set service ssh listen-address ‘172.21.62.230’
set service ssh port ‘22’
set system config-management commit-revisions ‘100’
set system console device ttyS0 speed ‘115200’
set system host-name ‘vyos’
set system login user chambers authentication encrypted-password ‘$z/SW8E/vKj3ZcjE5H/B164YZi3sQL.i808FhzFbVDH7n/kEe2YA3geqGx5JiNtV.’
set system login user chambers authentication plaintext-password ‘’
set system login user chambers level ‘admin’
set system login user vyos authentication encrypted-password ‘$6$i9Ec62tMeyHf9rWxr1u2GPGSG90t0KnwvmY9s0CDDNqFQXEUX/’
set system login user vyos authentication plaintext-password ‘’
set system login user vyos level ‘admin’
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level ‘info’
set system syslog global facility protocols level ‘debug’
set system time-zone ‘UTC’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal ‘enable’
set vpn l2tp remote-access authentication local-users username HJares password ‘NotMypassword’
set vpn l2tp remote-access authentication local-users username chambers password ‘NotMypassword2’
set vpn l2tp remote-access authentication mode ‘local’
set vpn l2tp remote-access client-ip-pool start ‘172.21.62.231’
set vpn l2tp remote-access client-ip-pool stop ‘172.21.62.239’
set vpn l2tp remote-access dns-servers server-1 ‘172.21.13.167’
set vpn l2tp remote-access dns-servers server-2 ‘172.21.49.3’
set vpn l2tp remote-access ipsec-settings authentication mode ‘pre-shared-secret’
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret ‘MyBigSecret’
set vpn l2tp remote-access outside-address ‘xyz.7.235.151’
set vpn l2tp remote-access outside-nexthop ‘xyz.7.235.254’

Any ideas or recommendations would be appreciated.

Howard

Dmitry · December 12, 2019, 5:52pm

Hello @HMJares, can you try enable proxy-arp on second interface
set interfaces ethernet eth1 ip enable-proxy-arp
If it not helped you, try capture traffic and run ping from your Windows PC to some resource.

HMJares · December 12, 2019, 7:51pm

Than ks for the quick response.
That was already in the configuration.
I noticed that I had entered the enable-proxy-arp for both eth0 and eth1.
I tried removing the one associate with eth0.
Still didn’t work.
I will get wireshark log in a little while.
Howard

Dmitry · December 12, 2019, 8:26pm

Without outside-nexthop is problem still appears?
delete vpn l2tp remote-access outside-nexthop

Dmitry · December 15, 2019, 7:15pm

@HMJares do you any news?

HMJares · December 15, 2019, 9:40pm

I made that change, but it still didn’t work.
Sorry I was busy and didn’t reply sooner.
Earlier you suggested Wireshark or tcpdump.
I can do it on laptop connecting to VPN.
Would it be beneficial to run tcpdump on vyos system? If so, on eth1 or eth0 or both?

Howard

Dmitry · December 16, 2019, 6:37am

Yes, capture traffic on VyOS eth1 and run ping from remote connected laptop
monitor traffic interface eth0 save /tmp/dump.pcap

HMJares · December 17, 2019, 11:40pm

I am not sure if this is related or not, but I tried this before I connected (and after I connected):
show vpn ipsec status
IPSec process Running PID: 1975
1 Active IPSec Tunnels
IPsec Interfaces
eth0 (No IP interface statically configured as local-ip for any VPN peer)

When I ran the monitor traffic interface eth1 as you requested, our network seemed to be having issues where we were getting tons of ARP requests. Almost no other datagrams.

I am going to discuss this with our network manager to make sure he doesn’t have a problem that is causing my vyos vpn to fail.

Howard