Details
Details
VyOS is behind 1:1 nat that maps too 195.254.168.253.
monitor vpn ipsec:
VPN-IPSEC: "peer-91.144.247.168-tunnel-0" #1: ignoring informational payload, type INVALID_ID_INFORMATION
VPN-IPSEC: "peer-91.144.247.168-tunnel-0" #1: discarding duplicate packet; already STATE_MAIN_I3 VPN-IPSEC: "peer-91.144.247.168-tunnel-0" #1: byte 2 of ISAKMP Hash Payload must be zero, but is not VPN-IPSEC: "peer-91.144.247.168-tunnel-0" #1: malformed payload in packet VPN-IPSEC: packet from 91.144.247.168:500: received Vendor ID payload [strongSwan] VPN-IPSEC: packet from 91.144.247.168:500: ignoring Vendor ID payload [Cisco-Unity] VPN-IPSEC: packet from 91.144.247.168:500: received Vendor ID payload [XAUTH] VPN-IPSEC: packet from 91.144.247.168:500: received Vendor ID payload [Dead Peer Detection] VPN-IPSEC: "peer-91.144.247.168-tunnel-0" #2: responding to Main Mode VPN-IPSEC: "peer-91.144.247.168-tunnel-0" #2: Peer ID is ID_IPV4_ADDR: '91.144.247.168' VPN-IPSEC: "peer-91.144.247.168-tunnel-0" #2: sent MR3, ISAKMP SA established VPN-IPSEC: "peer-91.144.247.168-tunnel-0" #2: ignoring informational payload, type INVALID_ID_INFORMATION
interfaces {
ethernet eth0 { duplex auto hw-id 40:61:86:32:ed:fb smp_affinity auto speed auto vif 12 { address 192.168.68.1/24 } vif 30 { address 10.67.145.3/21 } } loopback lo { }
}
nat {
destination { rule 23 { description "Port Forward: IRC to 192.168.68.69" destination { port 6667 } inbound-interface eth0.30 protocol tcp translation { address 192.168.68.69 } } rule 98 { description "Port Forward: HTTP to 192.168.68.69" destination { port 80 } inbound-interface eth0.30 protocol tcp translation { address 192.168.68.69 } } } source { rule 100 { outbound-interface eth0.30 source { address 192.168.68.0/24 } translation { address masquerade } } }
}
protocols {
static { route 0.0.0.0/0 { next-hop 10.67.144.1 { } } }
}
service {
ssh { port 22 }
}
system {
config-management { commit-revisions 20 } console { device ttyS0 { speed 9600 } } host-name vyos login { user vyos { authentication { encrypted-password plaintext-password "" } level admin } } ntp { server 0.pool.ntp.org { } server 1.pool.ntp.org { } server 2.pool.ntp.org { } } package { auto-sync 1 repository community { components main distribution helium password "" url http://packages.vyos.net/vyos username "" } } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone UTC
}
vpn {
ipsec { esp-group office-srv-esp { compression disable lifetime 1800 mode tunnel pfs enable proposal 1 { encryption aes256 hash sha1 } } ike-group office-srv-ike { ikev2-reauth no key-exchange ikev1 lifetime 3600 proposal 1 { encryption aes256 hash sha1 } } ipsec-interfaces { interface eth0.30 } site-to-site { peer 91.144.247.168 { authentication { mode pre-shared-secret pre-shared-secret ----- } connection-type initiate ike-group office-srv-ike ikev2-reauth inherit local-address any tunnel 0 { allow-nat-networks disable allow-public-networks disable esp-group office-srv-esp local { prefix 192.168.68.0/24 } remote { prefix 192.168.1.0/24 } } } mode pre-shared-secret pre-shared-secret R4ndersVPNS1lkeborg } connection-type initiate ike-group office-srv-ike ikev2-reauth inherit local-address any tunnel 0 { allow-nat-networks disable allow-public-networks disable esp-group office-srv-esp local { prefix 192.168.68.0/24 } remote { prefix 192.168.1.0/24 } } } } }
}
Answers
Answers
Is it 1.1.7 or the beta?
Anyway, things I would try: 1. force it to IKEv1, which is fully supported now, while v2 has known problems. 2. Specify 'authentication id' (e.g. 'authentcation id @natedpeed') on the NATed side and make IPsec id-based instead of IP-based, as in 'vpn ipsec site-to-site peer @natedpeer ...').
1:1 NAT (or NAT in general) is known to cause problems in IP-based setups because IPsec expects that what's written in the source address matches what's in the IPsec exchange.
New Answer
New Answer