Hi, I am busy setting up site to site connectivity between my VyOS routers and MS Azure. I need to set up routed based IPSec with BGP. For some reason, I can only get phase 2 to establish using policy based IPSec – I cannot get the route based tunnel using vti to come up. Has anyone perhaps seen this issue? I see some guides mention not to assign an address to the vti (https://help.ubnt.com/hc/en-us/articles/115012374708) but I am also not able to get this to function.
Azure side
Pubic IP: 22.186.24.44
Virtual network: 172.16.32.0/24
VyOS side:
Pubic IP: 32.51.19.16
Virtual network: 172.16.4.0/24
Vyos config:
set vpn ipsec esp-group MSA lifetime ‘27000’
set vpn ipsec esp-group MSA mode ‘tunnel’
set vpn ipsec esp-group MSA pfs ‘disable’
set vpn ipsec esp-group MSA proposal 1 encryption ‘aes256’
set vpn ipsec esp-group MSA proposal 1 hash ‘sha1’
set vpn ipsec ike-group MSA dead-peer-detection action ‘restart’
set vpn ipsec ike-group MSA dead-peer-detection interval ‘15’
set vpn ipsec ike-group MSA dead-peer-detection timeout ‘30’
set vpn ipsec ike-group MSA ikev2-reauth ‘no’
set vpn ipsec ike-group MSA key-exchange ‘ikev2’
set vpn ipsec ike-group MSA lifetime ‘28800’
set vpn ipsec ike-group MSA proposal 1 dh-group ‘2’
set vpn ipsec ike-group MSA proposal 1 encryption ‘aes256’
set vpn ipsec ike-group MSA proposal 1 hash ‘sha1’
Working:
set vpn ipsec site-to-site peer 22.186.24.44authentication id '32.51.19.16’
set vpn ipsec site-to-site peer 22.186.24.44authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 22.186.24.44 authentication pre-shared-secret ‘123456’
set vpn ipsec site-to-site peer 22.186.24.44 connection-type ‘respond’
set vpn ipsec site-to-site peer 22.186.24.44 description ‘MSA tunnel1’
set vpn ipsec site-to-site peer 22.186.24.44 ike-group ‘MSA’
set vpn ipsec site-to-site peer 22.186.24.44 local-address ‘172.16.4.10’
set vpn ipsec site-to-site peer 22.186.24.44 tunnel 0 esp-group ‘MSA’
set vpn ipsec site-to-site peer 22.186.24.44 tunnel 0 local prefix ‘172.16.4.0/24’
set vpn ipsec site-to-site peer 22.186.24.44 tunnel 0 remote prefix ‘172.16.32.0/24’
Not working:
set vpn ipsec site-to-site peer 22.186.24.44authentication id '32.51.19.16’
set vpn ipsec site-to-site peer 22.186.24.44authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 22.186.24.44 authentication pre-shared-secret ‘123456’
set vpn ipsec site-to-site peer 22.186.24.44 connection-type ‘respond’
set vpn ipsec site-to-site peer 22.186.24.44 description ‘MSA tunnel1’
set vpn ipsec site-to-site peer 22.186.24.44 ike-group ‘MSA’
set vpn ipsec site-to-site peer 22.186.24.44 local-address ‘172.16.4.10’
set vpn ipsec site-to-site peer 22.186.24.44 vti bind ‘vti2’
set vpn ipsec site-to-site peer 22.186.24.44 vti esp-group ‘MSA’
set protocols static interface-route 172.16.32.0/24 next-hop-interface vti2
I have also tried to get the MTU of vti2 to 1350, but it made no difference.
One error message I noticed below:
ipsec_starter[1622]: routing ‘peer-22.186.24.44 -tunnel-vti’ failed
Any ideas? Thank you