Details
Details
VyOS is behind 1:1 nat that maps too 195.254.168.253.
monitor vpn ipsec:
VPN-IPSEC: "peer-91.144.247.168-tunnel-0" #1: ignoring informational payload, type INVALID_ID_INFORMATION
VPN-IPSEC: "peer-91.144.247.168-tunnel-0" #1: discarding duplicate packet; already STATE_MAIN_I3 VPN-IPSEC: "peer-91.144.247.168-tunnel-0" #1: byte 2 of ISAKMP Hash Payload must be zero, but is not VPN-IPSEC: "peer-91.144.247.168-tunnel-0" #1: malformed payload in packet VPN-IPSEC: packet from 91.144.247.168:500: received Vendor ID payload [strongSwan] VPN-IPSEC: packet from 91.144.247.168:500: ignoring Vendor ID payload [Cisco-Unity] VPN-IPSEC: packet from 91.144.247.168:500: received Vendor ID payload [XAUTH] VPN-IPSEC: packet from 91.144.247.168:500: received Vendor ID payload [Dead Peer Detection] VPN-IPSEC: "peer-91.144.247.168-tunnel-0" #2: responding to Main Mode VPN-IPSEC: "peer-91.144.247.168-tunnel-0" #2: Peer ID is ID_IPV4_ADDR: '91.144.247.168' VPN-IPSEC: "peer-91.144.247.168-tunnel-0" #2: sent MR3, ISAKMP SA established VPN-IPSEC: "peer-91.144.247.168-tunnel-0" #2: ignoring informational payload, type INVALID_ID_INFORMATION
interfaces {
ethernet eth0 {
duplex auto
hw-id 40:61:86:32:ed:fb
smp_affinity auto
speed auto
vif 12 {
address 192.168.68.1/24
}
vif 30 {
address 10.67.145.3/21
}
}
loopback lo {
}}
nat {
destination {
rule 23 {
description "Port Forward: IRC to 192.168.68.69"
destination {
port 6667
}
inbound-interface eth0.30
protocol tcp
translation {
address 192.168.68.69
}
}
rule 98 {
description "Port Forward: HTTP to 192.168.68.69"
destination {
port 80
}
inbound-interface eth0.30
protocol tcp
translation {
address 192.168.68.69
}
}
}
source {
rule 100 {
outbound-interface eth0.30
source {
address 192.168.68.0/24
}
translation {
address masquerade
}
}
}}
protocols {
static {
route 0.0.0.0/0 {
next-hop 10.67.144.1 {
}
}
}}
service {
ssh {
port 22
}}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
host-name vyos
login {
user vyos {
authentication {
encrypted-password
plaintext-password ""
}
level admin
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password ""
url http://packages.vyos.net/vyos
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC}
vpn {
ipsec {
esp-group office-srv-esp {
compression disable
lifetime 1800
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group office-srv-ike {
ikev2-reauth no
key-exchange ikev1
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0.30
}
site-to-site {
peer 91.144.247.168 {
authentication {
mode pre-shared-secret
pre-shared-secret -----
}
connection-type initiate
ike-group office-srv-ike
ikev2-reauth inherit
local-address any
tunnel 0 {
allow-nat-networks disable
allow-public-networks disable
esp-group office-srv-esp
local {
prefix 192.168.68.0/24
}
remote {
prefix 192.168.1.0/24
}
}
}
mode pre-shared-secret
pre-shared-secret R4ndersVPNS1lkeborg
}
connection-type initiate
ike-group office-srv-ike
ikev2-reauth inherit
local-address any
tunnel 0 {
allow-nat-networks disable
allow-public-networks disable
esp-group office-srv-esp
local {
prefix 192.168.68.0/24
}
remote {
prefix 192.168.1.0/24
}
}
}
}
}}
Answers
Answers
Is it 1.1.7 or the beta?
Anyway, things I would try: 1. force it to IKEv1, which is fully supported now, while v2 has known problems. 2. Specify 'authentication id' (e.g. 'authentcation id @natedpeed') on the NATed side and make IPsec id-based instead of IP-based, as in 'vpn ipsec site-to-site peer @natedpeer ...').
1:1 NAT (or NAT in general) is known to cause problems in IP-based setups because IPsec expects that what's written in the source address matches what's in the IPsec exchange.
New Answer
New Answer