Page MenuHomeVyOS Platform
Create Task
Maniphest T781

VyOS 1.2 does not work with AWS VPN gateway, but some configuration works fine on VyOS 1.1.8
Closed, WontfixPublicBUG
Actions

Description

AWS VPN gateway configuration works fine on VyOS 1.1.8 but not work with VyOS 1.2

On VyOS1.2
IPsec tunnel always down

vyos@home:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
x.x.x.x                           192.168.1.51

    Description: VPC tunnel 1

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    up     IKEv1   aes128   sha1_96 2(MODP_1024)   no     3600    28800


vyos@home:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
x.x.x.x                            192.168.1.51

    Description: VPC tunnel 1

    Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----    -----  ------  ------  -----
    vti     down   40.0/60.0      aes128   sha1_96/modp_1024 no     -2640           all

vpn configuration part

vyos@home# show vpn
 ipsec {
     esp-group AWS {
         compression disable
         lifetime 3600
         mode tunnel
         pfs enable
         proposal 1 {
             encryption aes128
             hash sha1
         }
     }
     ike-group AWS {
         dead-peer-detection {
             action restart
             interval 15
             timeout 30
         }
         lifetime 28800
         proposal 1 {
             dh-group 2
             encryption aes128
             hash sha1
         }
     }
     ipsec-interfaces {
         interface eth0
     }
     nat-networks {
         allowed-network 0.0.0.0/0 {
         }
     }
     nat-traversal enable
     site-to-site {
         peer x.x.x.x {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret secret
             }
             description "VPC tunnel 1"
             ike-group AWS
             local-address 192.168.1.51
             vti {
                 bind vti0
                 esp-group AWS
             }
         }
     }
 }

/var/log/message sample

Aug 17 19:04:50 home charon: 16[ENC] generating INFORMATIONAL_V1 request 4210105309 [ HASH N(DPD_ACK) ]
Aug 17 19:04:50 home charon: 16[NET] sending packet: from 192.168.1.51[4500] to x.x.x.x[4500] (92 bytes)
Aug 17 19:05:00 home charon: 11[NET] received packet: from x.x.x.x[4500] to 192.168.1.51[4500] (92 bytes)
Aug 17 19:05:00 home charon: 11[ENC] parsed INFORMATIONAL_V1 request 3467971564 [ HASH N(DPD) ]
Aug 17 19:05:00 home charon: 11[ENC] generating INFORMATIONAL_V1 request 1720754458 [ HASH N(DPD_ACK) ]
Aug 17 19:05:00 home charon: 11[NET] sending packet: from 192.168.1.51[4500] to x.x.x.x[4500] (92 bytes)
Aug 17 19:05:10 home charon: 14[NET] received packet: from x.x.x.x[4500] to 192.168.1.51[4500] (92 bytes)
Aug 17 19:05:10 home charon: 14[ENC] parsed INFORMATIONAL_V1 request 1518925226 [ HASH N(DPD) ]
Aug 17 19:05:10 home charon: 14[ENC] generating INFORMATIONAL_V1 request 2392199914 [ HASH N(DPD_ACK) ]
Aug 17 19:05:10 home charon: 14[NET] sending packet: from 192.168.1.51[4500] to x.x.x.x[4500] (92 bytes)
Aug 17 19:05:20 home charon: 13[NET] received packet: from x.x.x.x[4500] to 192.168.1.51[4500] (92 bytes)
Aug 17 19:05:20 home charon: 13[ENC] parsed INFORMATIONAL_V1 request 3474580426 [ HASH N(DPD) ]
Aug 17 19:05:20 home charon: 13[ENC] generating INFORMATIONAL_V1 request 1794201602 [ HASH N(DPD_ACK) ]
Aug 17 19:05:20 home charon: 13[NET] sending packet: from 192.168.1.51[4500] to x.x.x.x[4500] (92 bytes)
Aug 17 19:05:31 home charon: 06[NET] received packet: from x.x.x.x[4500] to 192.168.1.51[4500] (92 bytes)
Aug 17 19:05:31 home charon: 06[ENC] parsed INFORMATIONAL_V1 request 3687709310 [ HASH N(DPD) ]
Aug 17 19:05:31 home charon: 06[ENC] generating INFORMATIONAL_V1 request 4260606570 [ HASH N(DPD_ACK) ]
Aug 17 19:05:31 home charon: 06[NET] sending packet: from 192.168.1.51[4500] to x.x.x.x[4500] (92 bytes)
Aug 17 19:05:41 home charon: 15[NET] received packet: from x.x.x.x[4500] to 192.168.1.51[4500] (92 bytes)
Aug 17 19:05:41 home charon: 15[ENC] parsed INFORMATIONAL_V1 request 2633167795 [ HASH N(DPD) ]
Aug 17 19:05:41 home charon: 15[ENC] generating INFORMATIONAL_V1 request 3260501004 [ HASH N(DPD_ACK) ]
Aug 17 19:05:41 home charon: 15[NET] sending packet: from 192.168.1.51[4500] to x.x.x.x[4500] (92 bytes)
Aug 17 19:05:52 home charon: 08[NET] received packet: from x.x.x.x[4500] to 192.168.1.51[4500] (92 bytes)
Aug 17 19:05:52 home charon: 08[ENC] parsed INFORMATIONAL_V1 request 3701430312 [ HASH N(DPD) ]
Aug 17 19:05:52 home charon: 08[ENC] generating INFORMATIONAL_V1 request 1159511259 [ HASH N(DPD_ACK) ]
Aug 17 19:05:52 home charon: 08[NET] sending packet: from 192.168.1.51[4500] to x.x.x.x[4500] (92 bytes)
Aug 17 19:06:02 home charon: 16[NET] received packet: from x.x.x.x[4500] to 192.168.1.51[4500] (92 bytes)
Aug 17 19:06:02 home charon: 16[ENC] parsed INFORMATIONAL_V1 request 1080707478 [ HASH N(DPD) ]
Aug 17 19:06:02 home charon: 16[ENC] generating INFORMATIONAL_V1 request 4192344327 [ HASH N(DPD_ACK) ]
Aug 17 19:06:02 home charon: 16[NET] sending packet: from 192.168.1.51[4500] to x.x.x.x[4500] (92 bytes)
Aug 17 19:06:12 home charon: 11[NET] received packet: from x.x.x.x[4500] to 192.168.1.51[4500] (92 bytes)
Aug 17 19:06:12 home charon: 11[ENC] parsed INFORMATIONAL_V1 request 3546085915 [ HASH N(DPD) ]
Aug 17 19:06:12 home charon: 11[ENC] generating INFORMATIONAL_V1 request 767929131 [ HASH N(DPD_ACK) ]
Aug 17 19:06:12 home charon: 11[NET] sending packet: from 192.168.1.51[4500] to x.x.x.x[4500] (92 bytes)
Aug 17 19:06:23 home charon: 05[NET] received packet: from x.x.x.x[4500] to 192.168.1.51[4500] (92 bytes)
Aug 17 19:06:23 home charon: 05[ENC] parsed INFORMATIONAL_V1 request 2550324196 [ HASH N(DPD) ]
Aug 17 19:06:23 home charon: 05[ENC] generating INFORMATIONAL_V1 request 2494124315 [ HASH N(DPD_ACK) ]
Aug 17 19:06:23 home charon: 05[NET] sending packet: from 192.168.1.51[4500] to x.x.x.x[4500] (92 bytes)
Aug 17 19:06:33 home charon: 12[NET] received packet: from x.x.x.x[4500] to 192.168.1.51[4500] (92 bytes)
Aug 17 19:06:33 home charon: 12[ENC] parsed INFORMATIONAL_V1 request 1162636955 [ HASH N(DPD) ]
Aug 17 19:06:33 home charon: 12[ENC] generating INFORMATIONAL_V1 request 2581462110 [ HASH N(DPD_ACK) ]
Aug 17 19:06:33 home charon: 12[NET] sending packet: from 192.168.1.51[4500] to x.x.x.x[4500] (92 bytes)

Details

Difficulty level
Unknown (require assessment)
Version
vyos-1.2.0-rolling+201806151501
Why the issue appeared?
Will be filled on close

Event Timeline

shadowyw created this task.Aug 17 2018, 11:07 AM
begetan added a subscriber: begetan.Aug 29 2018, 4:27 PM

We are using "Double static NAT" life hack in AWS, so IPsec protocols works actually without NAT
And it is working good.

But there is a couple of stability issues when switching from 1.1.8 to 1.2 in AWS environment, which I will report soon.
So working connection goes down after several hours.

Could you show please show interfaces?

syncer triaged this task as Normal priority.Sep 1 2018, 2:51 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc1); removed VyOS 1.2 Crux.
syncer added a subscriber: syncer.

@shadowyw try retest with latest rolling please

shadowyw added a comment.EditedSep 5 2018, 9:01 AM
In T781#18637, @begetan wrote:

We are using "Double static NAT" life hack in AWS, so IPsec protocols works actually without NAT
And it is working good.

But there is a couple of stability issues when switching from 1.1.8 to 1.2 in AWS environment, which I will report soon.
So working connection goes down after several hours.

Could you show please show interfaces?

# show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             192.168.1.51/24                   u/u
eth1             10.10.0.1/24                      u/u
lo               127.0.0.1/8                       u/u
                 ::1/128
vti0             169.254.10.14/30                  u/u  VPC tunnel 1
vti1             169.254.8.58/30                   u/u  VPC tunnel 2
shadowyw added a comment.Sep 5 2018, 9:03 AM
In T781#18862, @syncer wrote:

@shadowyw try retest with latest rolling please

same result on VyOS 1.2.0-rolling+201809030337

syncer added a comment.Sep 5 2018, 9:35 AM

But i see traffic counters
have you actually tried to pass traffic ?

shadowyw added a comment.Sep 29 2018, 3:54 AM
In T781#19265, @syncer wrote:

But i see traffic counters
have you actually tried to pass traffic ?

yes, i did try.
the thing is, 2 KVM guests on same physical box, running 1.1.8 and 1.2 with same VPN configuration, 1.18 works fine, but not 1.2

pasik added a subscriber: pasik.Oct 1 2018, 9:46 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc2); removed VyOS 1.2 Crux (VyOS 1.2.0-rc1).Oct 9 2018, 6:42 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc3); removed VyOS 1.2 Crux (VyOS 1.2.0-rc2).Oct 13 2018, 9:28 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc4); removed VyOS 1.2 Crux (VyOS 1.2.0-rc3).Oct 15 2018, 10:15 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc5); removed VyOS 1.2 Crux (VyOS 1.2.0-rc4).Oct 24 2018, 4:39 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc6); removed VyOS 1.2 Crux (VyOS 1.2.0-rc5).Oct 29 2018, 6:16 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc7); removed VyOS 1.2 Crux (VyOS 1.2.0-rc6).Nov 6 2018, 12:57 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc8); removed VyOS 1.2 Crux (VyOS 1.2.0-rc7).Nov 13 2018, 3:48 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc9); removed VyOS 1.2 Crux (VyOS 1.2.0-rc8).Nov 20 2018, 12:44 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc10); removed VyOS 1.2 Crux (VyOS 1.2.0-rc9).Nov 27 2018, 12:03 AM
syncer edited projects, added VyOS 1.2 Crux ( VyOS 1.2.0-rc11); removed VyOS 1.2 Crux (VyOS 1.2.0-rc10).Dec 5 2018, 11:58 PM
syncer edited projects, added VyOS 1.2 Crux ( VyOS 1.2.0-EPA); removed VyOS 1.2 Crux ( VyOS 1.2.0-rc11).Dec 21 2018, 10:07 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-EPA2); removed VyOS 1.2 Crux ( VyOS 1.2.0-EPA).Jan 1 2019, 6:10 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-EPA3); removed VyOS 1.2 Crux (VyOS 1.2.0-EPA2).Jan 3 2019, 1:54 PM
syncer closed this task as Wontfix.Feb 8 2019, 12:11 AM
syncer claimed this task.
syncer edited projects, added Rejected; removed VyOS 1.2 Crux (VyOS 1.2.0-EPA3).

Please retest with the latest rolling
if the problem still persists, reopen