===== VyOS VPN with NAT ===== {{tag>AWS VyOS VPN NAT}} ==== Description ==== This example is a specific use case where a software vendor will establish a site-to-site VPN and allow traffic only between two single private IPs, one on their end and one on your end, but you need to access their server from a cluster of instances or containers. With this configuration the site-to-site VPN is established to a VyOS instance and allows the instances private IP. The VyOS instance is then doing masquerade NAT for other instances in the VPC so they can access the vendor server. The vendor server will see all traffic as originating from the VyOS instance's private IP across the VPN. This type of setup will not work if the vendor needs to initiate traffic requests to your IP unless you are able to forward said traffic requests to a single system. Any time this type of configuration is used you should inform your software vendor and verify this is not a violation of their terms of service. ==== Diagram ==== {{ :images:svg:vyos_vpn_nat.svg | VyOS VPN with NAT}} ==== VyOS Configuration ==== set interfaces ethernet eth0 address 'dhcp' set interfaces loopback lo set nat source rule 100 outbound-interface 'eth0' set nat source rule 100 translation address 'masquerade' set vpn ipsec esp-group esp_group compression 'disable' set vpn ipsec esp-group esp_group lifetime '3600' set vpn ipsec esp-group esp_group mode 'tunnel' set vpn ipsec esp-group esp_group pfs 'enable' set vpn ipsec esp-group esp_group proposal 1 encryption 'aes128' set vpn ipsec esp-group esp_group proposal 1 hash 'sha1' set vpn ipsec ike-group ike_group ikev2-reauth 'no' set vpn ipsec ike-group ike_group key-exchange 'ikev1' set vpn ipsec ike-group ike_group lifetime '28800' set vpn ipsec ike-group ike_group mode 'main' set vpn ipsec ike-group ike_group proposal 1 dh-group '2' set vpn ipsec ike-group ike_group proposal 1 encryption 'aes128' set vpn ipsec ike-group ike_group proposal 1 hash 'sha1' set vpn ipsec site-to-site peer 50.100.200.123 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 50.100.200.123 authentication pre-shared-secret '5kmw5kybhqnxasgqbuk3' set vpn ipsec site-to-site peer 50.100.200.123 connection-type 'respond' set vpn ipsec site-to-site peer 50.100.200.123 default-esp-group 'esp_group' set vpn ipsec site-to-site peer 50.100.200.123 dhcp-interface 'eth0' set vpn ipsec site-to-site peer 50.100.200.123 ike-group 'ike_group' set vpn ipsec site-to-site peer 50.100.200.123 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 50.100.200.123 tunnel 1 allow-nat-networks 'disable' set vpn ipsec site-to-site peer 50.100.200.123 tunnel 1 allow-public-networks 'disable' set vpn ipsec site-to-site peer 50.100.200.123 tunnel 1 esp-group 'esp_group' set vpn ipsec site-to-site peer 50.100.200.123 tunnel 1 local prefix '10.32.64.10/32' set vpn ipsec site-to-site peer 50.100.200.123 tunnel 1 protocol 'all' set vpn ipsec site-to-site peer 50.100.200.123 tunnel 1 remote prefix '192.168.168.20/32' ==== Example Vendor Firewall Configuration ==== This example is from a Cisco ASA 5505. interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.168.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 50.100.200.123 255.255.255.128 ! object network inside subnet 192.168.168.0 255.255.255.0 object network srv-inside host 192.168.168.20 object network srv-amzn host 10.32.64.10 access-list outside extended permit ip host 3.200.100.50 interface outside access-list srv-amzn extended permit ip object srv-inside object srv-amzn nat (inside,outside) source static srv-inside srv-inside destination static srv-amzn srv-amzn ! object network inside nat (inside,outside) dynamic interface access-group outside in interface outside route outside 0.0.0.0 0.0.0.0 50.100.200.1 1 crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac crypto ipsec security-association replay window-size 128 crypto ipsec security-association pmtu-aging infinite crypto ipsec df-bit clear-df outside crypto map amzn_vpn_map 1 match address srv-amzn crypto map amzn_vpn_map 1 set pfs crypto map amzn_vpn_map 1 set connection-type answer-only crypto map amzn_vpn_map 1 set peer 3.200.100.50 crypto map amzn_vpn_map 1 set ikev1 transform-set transform-amzn crypto map amzn_vpn_map 1 set security-association lifetime seconds 3600 crypto map amzn_vpn_map interface outside crypto ca trustpool policy crypto isakmp identity address crypto ikev1 enable outside crypto ikev1 policy 201 authentication pre-share encryption aes hash sha group 2 lifetime 28800 tunnel-group 3.200.100.50 type ipsec-l2l tunnel-group 3.200.100.50 ipsec-attributes ikev1 pre-shared-key 5kmw5kybhqnxasgqbuk3 ! policy-map global_policy class inspection_default inspect icmp