Table of Contents

VyOS VPN with NAT

Description

This example is a specific use case where a software vendor will establish a site-to-site VPN and allow traffic only between two single private IPs, one on their end and one on your end, but you need to access their server from a cluster of instances or containers. With this configuration the site-to-site VPN is established to a VyOS instance and allows the instances private IP. The VyOS instance is then doing masquerade NAT for other instances in the VPC so they can access the vendor server. The vendor server will see all traffic as originating from the VyOS instance's private IP across the VPN. This type of setup will not work if the vendor needs to initiate traffic requests to your IP unless you are able to forward said traffic requests to a single system. Any time this type of configuration is used you should inform your software vendor and verify this is not a violation of their terms of service.

Diagram


VyOS Configuration

set interfaces ethernet eth0 address 'dhcp'
set interfaces loopback lo
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 translation address 'masquerade'
set vpn ipsec esp-group esp_group compression 'disable'
set vpn ipsec esp-group esp_group lifetime '3600'
set vpn ipsec esp-group esp_group mode 'tunnel'
set vpn ipsec esp-group esp_group pfs 'enable'
set vpn ipsec esp-group esp_group proposal 1 encryption 'aes128'
set vpn ipsec esp-group esp_group proposal 1 hash 'sha1'
set vpn ipsec ike-group ike_group ikev2-reauth 'no'
set vpn ipsec ike-group ike_group key-exchange 'ikev1'
set vpn ipsec ike-group ike_group lifetime '28800'
set vpn ipsec ike-group ike_group mode 'main'
set vpn ipsec ike-group ike_group proposal 1 dh-group '2'
set vpn ipsec ike-group ike_group proposal 1 encryption 'aes128'
set vpn ipsec ike-group ike_group proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer 50.100.200.123 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 50.100.200.123 authentication pre-shared-secret '5kmw5kybhqnxasgqbuk3'
set vpn ipsec site-to-site peer 50.100.200.123 connection-type 'respond'
set vpn ipsec site-to-site peer 50.100.200.123 default-esp-group 'esp_group'
set vpn ipsec site-to-site peer 50.100.200.123 dhcp-interface 'eth0'
set vpn ipsec site-to-site peer 50.100.200.123 ike-group 'ike_group'
set vpn ipsec site-to-site peer 50.100.200.123 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 50.100.200.123 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 50.100.200.123 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 50.100.200.123 tunnel 1 esp-group 'esp_group'
set vpn ipsec site-to-site peer 50.100.200.123 tunnel 1 local prefix '10.32.64.10/32'
set vpn ipsec site-to-site peer 50.100.200.123 tunnel 1 protocol 'all'
set vpn ipsec site-to-site peer 50.100.200.123 tunnel 1 remote prefix '192.168.168.20/32'

Example Vendor Firewall Configuration

This example is from a Cisco ASA 5505.

interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.168.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 50.100.200.123 255.255.255.128
!
object network inside
 subnet 192.168.168.0 255.255.255.0
object network srv-inside
 host 192.168.168.20
object network srv-amzn
 host 10.32.64.10
access-list outside extended permit ip host 3.200.100.50 interface outside
access-list srv-amzn extended permit ip object srv-inside object srv-amzn
nat (inside,outside) source static srv-inside srv-inside destination static srv-amzn srv-amzn
!
object network inside
 nat (inside,outside) dynamic interface
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 50.100.200.1 1
crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec security-association replay window-size 128
crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df outside
crypto map amzn_vpn_map 1 match address srv-amzn
crypto map amzn_vpn_map 1 set pfs
crypto map amzn_vpn_map 1 set connection-type answer-only
crypto map amzn_vpn_map 1 set peer 3.200.100.50
crypto map amzn_vpn_map 1 set ikev1 transform-set transform-amzn
crypto map amzn_vpn_map 1 set security-association lifetime seconds 3600
crypto map amzn_vpn_map interface outside
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 201
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 28800

tunnel-group 3.200.100.50 type ipsec-l2l
tunnel-group 3.200.100.50 ipsec-attributes
 ikev1 pre-shared-key 5kmw5kybhqnxasgqbuk3
!
policy-map global_policy
 class inspection_default
  inspect icmp