We recently changed our firewall from a Sonicwall 3060 to a Meraki MX100. After changing we discovered that our work for one customer relied on a site to site vpn to their network with outbound nat translation. Meraki devices do not support such a configuration (we've been told that many times directly from Meraki) so we had to set up an alternative solution. We managed to configure an IPSec site to site VPN in an AWS ec2 instance running Vyos with an elastic IP. We successfully configured the site to site VPN on the Vyos and are able to access to the customer's network from within the Vyos instance. Now we are trying to configure OpenVPN on the Vyos instance so that we can route traffic from our computers to the customer's network. We also (briefly) attempted L2TP configuration, and also considered configuring a second site-to-site vpn connection between our Meraki and Vyos, but it hasn't worked yet.
We are able to connect with OpenVPN with the configuration below, but it is not routing any traffic across the site to site vpn into the client network.
This question is very similar to ours but obviously we went with Vyos instead of PfSense, and I'm not sure I understand the answer. http://list.pfsense.narkive.com/tPjZJv5R/route-openvpn-traffic-to-the-available-ipsec-tunnels
Lastly, the one thing I haven't been able to find anywhere about this topic -- what configuration is needed to support this. We are building our VPN from scratch -- we only want it to accept traffic from clients via OpenVPN, and route it to our customer's network via IPSec. Do we need it to hand out addresses? Act as a gateway? What configuration is needed for that? I've only found resources which explain the IPSec, or the OpenVPN configuration -- nothing explains the baseline of what needs to be in place for those to communicate.
OpenVPN config on vyos:
openvpn vtun0 {
mode server
openvpn-option "--proto udp"
openvpn-option "--ifconfig-pool-persist ipp.txt"
openvpn-option "--keepalive 10 120"
openvpn-option "--comp-lzo yes"
openvpn-option "--user nobody --group nogroup"
openvpn-option "--persist-key --persist-tun"
openvpn-option "--status openvpn-status.log"
openvpn-option "--verb 3"
openvpn-option "--mute 10"
openvpn-option "--port 1194"
openvpn-option --client-to-client
openvpn-option "--verb 1"
server {
push-route 172.31.46.111/32 # private IP of device
push-route 123.123.78.123/32 # fake public IP of a destination server. We have 30 more IPs and ranges we want to reach
subnet 192.168.200.0/24
}
tls {
ca-cert-file /config/auth/ca.crt
cert-file /config/auth/js-server.crt
dh-file /config/auth/dh2048.pem
key-file /config/auth/js-server.key
}
}
and the site to site VPN tunnel (This works from within the Vyos installation)
vpn {
ipsec {
esp-group the-esp {
compression disable
lifetime 3600
mode tunnel
pfs disable
proposal 1 {
encryption 3des
hash sha1
}
}
ike-group the-ike {
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 2
encryption 3des
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
site-to-site {
peer 123.123.123.8 {
authentication {
id 123.123.123.207 # public IP of the vyos -- differs from local address due to AWS elastic IPs
mode pre-shared-secret
pre-shared-secret ****************
remote-id 123.123.123.8
}
connection-type initiate
default-esp-group the-esp
ike-group the-ike
ikev2-reauth inherit
local-address 172.31.46.111 # private IP of Vyos installation
tunnel 1 {
local {
prefix 123.123.123.129/32 # we are using outbound nat translation to send that as our IP to all destinations.
}
remote {
prefix 123.123.78.123/32 # fake IP of destination from the above openVPN config
}
}
# and then we have 29 more tunnels for the different routes
}
}
}
