vyos 1.1.7
LAN --- VYOS ----INTERNET----ROUTER(NAT-GATEWAY)----VYOS--LAN
<------------IPSEC VPN S2S TUNNEL ----------------->
VR1 config
[code]
set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '1800'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group5'
set vpn ipsec esp-group ESP proposal 1 encryption '3des'
set vpn ipsec esp-group ESP proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE lifetime '3600'
set vpn ipsec ike-group IKE proposal 1 dh-group '5'
set vpn ipsec ike-group IKE proposal 1 encryption '3des'
set vpn ipsec ike-group IKE proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer 100.100.0.1 authentication id '@vyos'
set vpn ipsec site-to-site peer 100.100.0.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 100.100.0.1 authentication pre-shared-secret '1234'
set vpn ipsec site-to-site peer 100.100.0.1 authentication remote-id '@vyos'
set vpn ipsec site-to-site peer 100.100.0.1 connection-type 'initiate'
set vpn ipsec site-to-site peer 100.100.0.1 description 'VR1-TO-VR2-VPN'
set vpn ipsec site-to-site peer 100.100.0.1 ike-group 'IKE'
set vpn ipsec site-to-site peer 100.100.0.1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 100.100.0.1 local-address '100.100.0.1'
set vpn ipsec site-to-site peer 100.100.0.1 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 100.100.0.1 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 100.100.0.1 tunnel 0 esp-group 'ESP'
set vpn ipsec site-to-site peer 100.100.0.1 tunnel 0 local prefix '192.168.56.0/24'
set vpn ipsec site-to-site peer 100.100.0.1 tunnel 0 remote prefix '192.168.1.0/24'
[/code]
vr2 config
[code]
vpn {
ipsec {
esp-group ESP {
compression disable
lifetime 1800
mode tunnel
pfs dh-group5
proposal 1 {
encryption 3des
hash sha1
}
}
ike-group IKE {
lifetime 3600
proposal 1 {
dh-group 5
encryption 3des
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal enable
site-to-site {
peer @vyos {
authentication {
id @vyos
mode pre-shared-secret
pre-shared-secret 1234
remote-id @vyos
}
connection-type initiate
ike-group IKE
local-address any
tunnel 1 {
esp-group ESP
local {
prefix 192.168.1.0/24
}
remote {
prefix 192.168.56.0/24
}
}
}
}
}
}
[/code]
log
[code]
May 31 19:32:32 vRouter pluto[2561]: forgetting secrets
May 31 19:32:32 vRouter pluto[2561]: loading secrets from "/etc/ipsec.secrets"
May 31 19:32:32 vRouter pluto[2561]: loaded PSK secret for 100.100.0.1 100.100.0.2 vyos vyos
May 31 19:32:32 vRouter pluto[2561]: loading secrets from "/etc/dmvpn.secrets"
May 31 19:32:32 vRouter pluto[2561]: Changing to directory '/etc/ipsec.d/crls'
May 31 19:32:32 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0": deleting connection
May 31 19:32:32 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #26: deleting state (STATE_MAIN_I3)
May 31 19:32:32 vRouter pluto[2561]: forgetting secrets
May 31 19:32:32 vRouter pluto[2561]: loading secrets from "/etc/ipsec.secrets"
May 31 19:32:32 vRouter pluto[2561]: loaded PSK secret for 100.100.0.1 100.100.0.2 vyos vyos
May 31 19:32:32 vRouter pluto[2561]: loading secrets from "/etc/dmvpn.secrets"
May 31 19:32:32 vRouter pluto[2561]: Changing to directory '/etc/ipsec.d/crls'
May 31 19:32:32 vRouter pluto[2561]: added connection description "peer-100.100.0.2-tunnel-0"
May 31 19:32:32 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: initiating Main Mode
May 31 19:32:32 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: received Vendor ID payload [strongSwan]
May 31 19:32:32 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: ignoring Vendor ID payload [Cisco-Unity]
May 31 19:32:32 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: received Vendor ID payload [XAUTH]
May 31 19:32:32 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: received Vendor ID payload [Dead Peer Detection]
May 31 19:32:32 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: received Vendor ID payload [RFC 3947]
May 31 19:32:32 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: enabling possible NAT-traversal with method 3
May 31 19:32:32 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: NAT-Traversal: Result using RFC 3947: peer is NATed
May 31 19:32:32 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: next payload type of ISAKMP Hash Payload has an unknown value: 62
May 31 19:32:32 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: malformed payload in packet
May 31 19:32:42 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: discarding duplicate packet; already STATE_MAIN_I3
May 31 19:32:42 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: next payload type of ISAKMP Hash Payload has an unknown value: 44
May 31 19:32:42 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: malformed payload in packet
[/code]
show vpn ipsec sa
always tunnel down .. why ? bug issue ?
we try remove ' nat-traversal enable' at under nat device router , tunnel is up , but ping & traceroute is NG
and re-paste " set vpn ipsec ike-group IKE key-exchange 'ikev1' " ping & traceroute is ok .