Change Details

vyos 1.1.7 LAN --- VYOS ----INTERNET----ROUTER(NAT-GATEWAY)----VYOS--LAN <------------IPSEC VPN S2S TUNNEL -----------------> VR1 config [code] set vpn ipsec esp-group ESP compression 'disable' set vpn ipsec esp-group ESP lifetime '1800' set vpn ipsec esp-group ESP mode 'tunnel' set vpn ipsec esp-group ESP pfs 'dh-group5' set vpn ipsec esp-group ESP proposal 1 encryption '3des' set vpn ipsec esp-group ESP proposal 1 hash 'sha1' set vpn ipsec ike-group IKE ikev2-reauth 'no' set vpn ipsec ike-group IKE key-exchange 'ikev1' set vpn ipsec ike-group IKE lifetime '3600' set vpn ipsec ike-group IKE proposal 1 dh-group '5' set vpn ipsec ike-group IKE proposal 1 encryption '3des' set vpn ipsec ike-group IKE proposal 1 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec nat-traversal 'enable' set vpn ipsec site-to-site peer 100.100.0.1 authentication id '@vyos' set vpn ipsec site-to-site peer 100.100.0.1 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 100.100.0.1 authentication pre-shared-secret '1234' set vpn ipsec site-to-site peer 100.100.0.1 authentication remote-id '@vyos' set vpn ipsec site-to-site peer 100.100.0.1 connection-type 'initiate' set vpn ipsec site-to-site peer 100.100.0.1 description 'VR1-TO-VR2-VPN' set vpn ipsec site-to-site peer 100.100.0.1 ike-group 'IKE' set vpn ipsec site-to-site peer 100.100.0.1 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 100.100.0.1 local-address '100.100.0.1' set vpn ipsec site-to-site peer 100.100.0.1 tunnel 0 allow-nat-networks 'disable' set vpn ipsec site-to-site peer 100.100.0.1 tunnel 0 allow-public-networks 'disable' set vpn ipsec site-to-site peer 100.100.0.1 tunnel 0 esp-group 'ESP' set vpn ipsec site-to-site peer 100.100.0.1 tunnel 0 local prefix '192.168.56.0/24' set vpn ipsec site-to-site peer 100.100.0.1 tunnel 0 remote prefix '192.168.1.0/24' [/code] vr2 config [code] vpn { ipsec { esp-group ESP { compression disable lifetime 1800 mode tunnel pfs dh-group5 proposal 1 { encryption 3des hash sha1 } } ike-group IKE { lifetime 3600 proposal 1 { dh-group 5 encryption 3des hash sha1 } } ipsec-interfaces { interface eth0 } nat-traversal enable site-to-site { peer @vyos { authentication { id @vyos mode pre-shared-secret pre-shared-secret 1234 remote-id @vyos } connection-type initiate ike-group IKE local-address any tunnel 1 { esp-group ESP local { prefix 192.168.1.0/24 } remote { prefix 192.168.56.0/24 } } } } } } [/code] log [code] May 31 19:32:32 vRouter pluto[2561]: forgetting secrets May 31 19:32:32 vRouter pluto[2561]: loading secrets from "/etc/ipsec.secrets" May 31 19:32:32 vRouter pluto[2561]: loaded PSK secret for 100.100.0.1 100.100.0.2 vyos vyos May 31 19:32:32 vRouter pluto[2561]: loading secrets from "/etc/dmvpn.secrets" May 31 19:32:32 vRouter pluto[2561]: Changing to directory '/etc/ipsec.d/crls' May 31 19:32:32 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0": deleting connection May 31 19:32:32 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #26: deleting state (STATE_MAIN_I3) May 31 19:32:32 vRouter pluto[2561]: forgetting secrets May 31 19:32:32 vRouter pluto[2561]: loading secrets from "/etc/ipsec.secrets" May 31 19:32:32 vRouter pluto[2561]: loaded PSK secret for 100.100.0.1 100.100.0.2 vyos vyos May 31 19:32:32 vRouter pluto[2561]: loading secrets from "/etc/dmvpn.secrets" May 31 19:32:32 vRouter pluto[2561]: Changing to directory '/etc/ipsec.d/crls' May 31 19:32:32 vRouter pluto[2561]: added connection description "peer-100.100.0.2-tunnel-0" May 31 19:32:32 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: initiating Main Mode May 31 19:32:32 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: received Vendor ID payload [strongSwan] May 31 19:32:32 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: ignoring Vendor ID payload [Cisco-Unity] May 31 19:32:32 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: received Vendor ID payload [XAUTH] May 31 19:32:32 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: received Vendor ID payload [Dead Peer Detection] May 31 19:32:32 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: received Vendor ID payload [RFC 3947] May 31 19:32:32 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: enabling possible NAT-traversal with method 3 May 31 19:32:32 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: NAT-Traversal: Result using RFC 3947: peer is NATed May 31 19:32:32 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: next payload type of ISAKMP Hash Payload has an unknown value: 62 May 31 19:32:32 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: malformed payload in packet May 31 19:32:42 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: discarding duplicate packet; already STATE_MAIN_I3 May 31 19:32:42 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: next payload type of ISAKMP Hash Payload has an unknown value: 44 May 31 19:32:42 vRouter pluto[2561]: "peer-100.100.0.2-tunnel-0" #27: malformed payload in packet [/code] show vpn ipsec sa always tunnel down .. why ? bug issue ? we try remove ' nat-traversal enable' at under nat device router , tunnel is up , but ping & traceroute is NG and re-paste " set vpn ipsec ike-group IKE key-exchange 'ikev1' " ping & traceroute is ok .