Hello
I have temporal scheme for one customer, which requires secure access from the main company network via IPSEC.
IPSEC is done with Cisco ASA. It is working fine.
One thing Vyos is not NATing internal network outside.
Hence no Internet provided to internal network.
Suprisingly, from the vyos itself the Internet is reachable.
Can you please review the configuration to show me where I did wrong. However, talking about NAT solely looks pretty simple and straightforward.
Configuration:
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name LAN-IN {
default-action accept
rule 10 {
action accept
}
}
name LAN-OUT {
default-action accept
rule 10 {
action accept
}
}
name TO-LAN-IPV4 {
default-action drop
rule 50 {
action accept
description "Allow traffic from site-to-site VPN"
destination {
address 192.168.88.0/24
}
source {
address 172.29.131.0/24
}
}
}
name TO-ROUTER-IPV4 {
default-action drop
rule 50 {
action accept
description "Allow ISAKMP"
destination {
port 500
}
protocol udp
}
rule 51 {
action accept
description "Allow ESP"
protocol esp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
address 192.168.0.97/24
description WAN
duplex auto
firewall {
out {
name LAN-OUT
}
}
hw-id 08:00:27:41:8f:38
mtu 1300
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.88.1/24
description Inside
duplex auto
firewall {
out {
name LAN-IN
}
}
hw-id 08:00:27:27:52:10
smp_affinity auto
speed auto
}
loopback lo {
}
}
nat {
source {
rule 10 {
description "NAT Exclude traffic over site-to-site VPN"
destination {
address 172.29.131.0/24
}
exclude
log enable
outbound-interface eth0
source {
address 192.168.88.0/24
}
}
rule 30 {
destination {
address 0.0.0.0/0
}
log enable
outbound-interface eth0
source {
address 192.168.88.0/24
}
translation {
address masquerade
}
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 192.168.0.1 {
}
}
}
}
service {
ssh {
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
host-name vyos
login {
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
}
name-server 8.8.8.8
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password ****************
url http://packages.vyos.net/vyos
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
vpn {
ipsec {
esp-group ESP-1W {
compression disable
lifetime 28800
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group IKE-1W {
ikev2-reauth no
key-exchange ikev1
lifetime 86400
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal enable
site-to-site {
peer XX.YY.ZZ.YY {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
default-esp-group ESP-1W
ike-group IKE-1W
ikev2-reauth inherit
local-address 192.168.0.97
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP-1W
local {
prefix 192.168.88.0/24
}
remote {
prefix 172.29.131.0/24
}
}
}
}
}
}