Page MenuHomeVyOS Platform

site-to-site ipsec issue
Closed, InvalidPublic

Description

Hello, while trying to setup site-to-site using ipsec, I got an issue with tunnel configuration.
One of the uncommon things for that tunnel is that peer ip address is equal to remote prefix address
For example:

set vpn ipsec esp-group ESP-AES128-SHA1-PFS compression 'disable'
set vpn ipsec esp-group ESP-AES128-SHA1-PFS lifetime '86400'
set vpn ipsec esp-group ESP-AES128-SHA1-PFS mode 'tunnel'
set vpn ipsec esp-group ESP-AES128-SHA1-PFS pfs 'dh-group2'
set vpn ipsec esp-group ESP-AES128-SHA1-PFS proposal 1 encryption 'aes128'
set vpn ipsec esp-group ESP-AES128-SHA1-PFS proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-AES128-SHA1 lifetime '28800'
set vpn ipsec ike-group IKE-AES128-SHA1 proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-AES128-SHA1 proposal 1 encryption 'aes128'
set vpn ipsec ike-group IKE-AES128-SHA1 proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer REMOTEIP authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer REMOTEIP authentication pre-shared-secret 'SECRET'
set vpn ipsec site-to-site peer REMOTEIP connection-type 'initiate'
set vpn ipsec site-to-site peer REMOTEIP description 'SITE-TO-SITE TUNNEL'
set vpn ipsec site-to-site peer REMOTEIP ike-group 'IKE-AES128-SHA1'
set vpn ipsec site-to-site peer REMOTEIP local-address 'LOCALIP'
set vpn ipsec site-to-site peer REMOTEIP tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer REMOTEIP tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer REMOTEIP tunnel 1 esp-group 'ESP-AES128-SHA1-PFS'
set vpn ipsec site-to-site peer REMOTEIP tunnel 1 local prefix 'LOCALPREFIX/32'
set vpn ipsec site-to-site peer REMOTEIP tunnel 1 remote prefix 'REMOTEIP/32'

After applying this config, kernel route towards remoteip appearing in routing table and vpn tunnel is not establishing.
Once I've delete that kernel route, tunnel become UP. How can we configure such type of tunnel, remote end is not vyos, and there is no way to make remoteip and remote prefix different.

Details

Difficulty level
Normal (likely a few hours)
Version
1.1.7

Event Timeline

syncer triaged this task as Low priority.
syncer added a subscriber: syncer.

Hello,
this should be created as question, not as task
closing as invalid