Page MenuHomePhabricator

ipsec vpn / nat
Closed, ResolvedPublic

Asked by ziftex on Jun 1 2016, 7:48 PM.

Details

VyOS is behind 1:1 nat that maps too 195.254.168.253.

monitor vpn ipsec:
VPN-IPSEC: "peer-91.144.247.168-tunnel-0" #1: ignoring informational payload, type INVALID_ID_INFORMATION

VPN-IPSEC: "peer-91.144.247.168-tunnel-0" #1: discarding duplicate packet; already STATE_MAIN_I3
VPN-IPSEC: "peer-91.144.247.168-tunnel-0" #1: byte 2 of ISAKMP Hash Payload must be zero, but is not
VPN-IPSEC: "peer-91.144.247.168-tunnel-0" #1: malformed payload in packet
VPN-IPSEC: packet from 91.144.247.168:500: received Vendor ID payload [strongSwan]
VPN-IPSEC: packet from 91.144.247.168:500: ignoring Vendor ID payload [Cisco-Unity]
VPN-IPSEC: packet from 91.144.247.168:500: received Vendor ID payload [XAUTH]
VPN-IPSEC: packet from 91.144.247.168:500: received Vendor ID payload [Dead Peer Detection]
VPN-IPSEC: "peer-91.144.247.168-tunnel-0" #2: responding to Main Mode
VPN-IPSEC: "peer-91.144.247.168-tunnel-0" #2: Peer ID is ID_IPV4_ADDR: '91.144.247.168'
VPN-IPSEC: "peer-91.144.247.168-tunnel-0" #2: sent MR3, ISAKMP SA established
VPN-IPSEC: "peer-91.144.247.168-tunnel-0" #2: ignoring informational payload, type INVALID_ID_INFORMATION

interfaces {

ethernet eth0 {
    duplex auto
    hw-id 40:61:86:32:ed:fb
    smp_affinity auto
    speed auto
    vif 12 {
        address 192.168.68.1/24
    }
    vif 30 {
        address 10.67.145.3/21
    }
}
loopback lo {
}

}
nat {

destination {
    rule 23 {
        description "Port Forward: IRC to 192.168.68.69"
        destination {
            port 6667
        }
        inbound-interface eth0.30
        protocol tcp
        translation {
            address 192.168.68.69
        }
    }
    rule 98 {
        description "Port Forward: HTTP to 192.168.68.69"
        destination {
            port 80
        }
        inbound-interface eth0.30
        protocol tcp
        translation {
            address 192.168.68.69
        }
    }
}
source {
    rule 100 {
        outbound-interface eth0.30
        source {
            address 192.168.68.0/24
        }
        translation {
            address masquerade
        }
    }
}

}
protocols {

static {
    route 0.0.0.0/0 {
        next-hop 10.67.144.1 {
        }
    }
}

}
service {

ssh {
    port 22
}

}
system {

config-management {
    commit-revisions 20
}
console {
    device ttyS0 {
        speed 9600
    }
}
host-name vyos
login {
    user vyos {
        authentication {
            encrypted-password 
            plaintext-password ""
        }
        level admin
    }
}
ntp {
    server 0.pool.ntp.org {
    }
    server 1.pool.ntp.org {
    }
    server 2.pool.ntp.org {
    }
}
package {
    auto-sync 1
    repository community {
        components main
        distribution helium
        password ""
        url http://packages.vyos.net/vyos
        username ""
    }
}
syslog {
    global {
        facility all {
            level notice
        }
        facility protocols {
            level debug
        }
    }
}
time-zone UTC

}
vpn {

ipsec {
    esp-group office-srv-esp {
        compression disable
        lifetime 1800
        mode tunnel
        pfs enable
        proposal 1 {
            encryption aes256
            hash sha1
        }
    }
    ike-group office-srv-ike {
        ikev2-reauth no
        key-exchange ikev1
        lifetime 3600
        proposal 1 {
            encryption aes256
            hash sha1
        }
    }
    ipsec-interfaces {
        interface eth0.30
    }
    site-to-site {
        peer 91.144.247.168 {
            authentication {
                mode pre-shared-secret
                pre-shared-secret -----
            }
            connection-type initiate
            ike-group office-srv-ike
            ikev2-reauth inherit
            local-address any
            tunnel 0 {
                allow-nat-networks disable
                allow-public-networks disable
                esp-group office-srv-esp
                local {
                    prefix 192.168.68.0/24
                }
                remote {
                    prefix 192.168.1.0/24
                }
            }
        }
                mode pre-shared-secret
                pre-shared-secret R4ndersVPNS1lkeborg
            }
            connection-type initiate
            ike-group office-srv-ike
            ikev2-reauth inherit
            local-address any
            tunnel 0 {
                allow-nat-networks disable
                allow-public-networks disable
                esp-group office-srv-esp
                local {
                    prefix 192.168.68.0/24
                }
                remote {
                    prefix 192.168.1.0/24
                }
            }
        }
    }
}

}

Answers

dmbaturin
Updated 1,269 Days Ago

Is it 1.1.7 or the beta?

Anyway, things I would try: 1. force it to IKEv1, which is fully supported now, while v2 has known problems. 2. Specify 'authentication id' (e.g. 'authentcation id @natedpeed') on the NATed side and make IPsec id-based instead of IP-based, as in 'vpn ipsec site-to-site peer @natedpeer ...').

1:1 NAT (or NAT in general) is known to cause problems in IP-based setups because IPsec expects that what's written in the source address matches what's in the IPsec exchange.

ziftex
Updated 1,269 Days Ago

VyOS 1.1.7 (helium)
Built on: Wed Feb 17 09:57:31 UTC 2016
Build ID: 1602170957-4459750

I will try that and return tomorrow :)

New Answer

Answer

This question has been marked as closed, but you can still leave a new answer.