Both ipsec and ike sa are up, but kernel route not appear

Okkar · September 7, 2021, 9:19am

Hi

I use version 1.28 from amazon EC2 AMI. After all IPSec configuration. Both IP Sec and ike sa are up but kernel route to remote network is not appear.

[email protected]:~$ show vpn ipsec sa
Connection                     State    Up          Bytes In/Out    Remote address    Remote ID    Proposal
-----------------------------  -------  ----------  --------------  ----------------  -----------  ---------------------------------------------
peer-xx.xx.xx.xx-tunnel-2   up       43 minutes  241K/211K       xx.xx.xx.xx    N/A          3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536```

yos@ip-189-189-89-244:~$ show vpn ike sa peer 159.138.15.169
Possible completions:
Execute the current command

[email protected]:~$ show vpn ike sa peer xx.xx.xx.xx
Peer ID / IP Local ID / IP

xx.xx.xx.xx xx.xx.xx.xx

State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
-----  ------  -------  ----    ---------      -----  ------  ------
up     IKEv1   3des     sha1_96 5(MODP_1536)   no     7200    86400```

My Configuration is here

set vpn ipsec esp-group HUW_ESP compression 'disable'
set vpn ipsec esp-group HUW_ESP lifetime '86400'
set vpn ipsec esp-group HUW_ESP mode 'tunnel'
set vpn ipsec esp-group HUW_ESP pfs 'enable'
set vpn ipsec esp-group HUW_ESP proposal 1 encryption '3des'
set vpn ipsec esp-group HUW_ESP proposal 1 hash 'sha1'
set vpn ipsec ike-group For_HUW dead-peer-detection action 'restart'
set vpn ipsec ike-group For_HUW dead-peer-detection interval '30'
set vpn ipsec ike-group For_HUW dead-peer-detection timeout '120'
set vpn ipsec ike-group For_HUW ikev2-reauth 'no'
set vpn ipsec ike-group For_HUW key-exchange 'ikev1'
set vpn ipsec ike-group For_HUW lifetime '86400'
set vpn ipsec ike-group For_HUW proposal 1 dh-group '5'
set vpn ipsec ike-group For_HUW proposal 1 encryption '3des'
set vpn ipsec ike-group For_HUW proposal 1 hash 'sha1'

set vpn ipsec site-to-site peer xx.xx.xx.xx authentication id 'my_public_ip'
set vpn ipsec site-to-site peer xx.xx.xx.xx authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer xx.xx.xx.xx authentication pre-shared-secret '@hWw$8!!06'
set vpn ipsec site-to-site peer xx.xx.xx.xx authentication remote-id 'xx.xx.xx.xx'
set vpn ipsec site-to-site peer xx.xx.xx.xx connection-type 'initiate'
set vpn ipsec site-to-site peer xx.xx.xx.xx ike-group 'For_HUW'
set vpn ipsec site-to-site peer xx.xx.xx.xx ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer xx.xx.xx.xx local-address 'my_private_ip'
set vpn ipsec site-to-site peer xx.xx.xx.xx tunnel 2 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer xx.xx.xx.xx tunnel 2 allow-public-networks 'disable'
set vpn ipsec site-to-site peer xx.xx.xx.xx tunnel 2 esp-group 'HUW_ESP'
set vpn ipsec site-to-site peer xx.xx.xx.xx tunnel 2 local prefix 'xx.xx.xx.xx/32'
set vpn ipsec site-to-site peer xx.xx.xx.xx tunnel 2 remote prefix 'xx.xx.xx.xx/24'

Viacheslav · September 10, 2021, 6:13pm

On which interface do you have this prefix?

local prefix 'xx.xx.xx.xx/32'

16again · September 11, 2021, 4:47am

There’s no show command, showing missing kernel route.
As IPSEC SA shows bytes up/down as nonzero, some traffic passes the VPN in both ways.
Are correct firewall rules in place, allowing IPSEC decrypted packets on WAN_IN?