When I tried to set vpn ipsec site-to-site peer 203.0.113.2,
got an error message,
“Peer connection name must be alphanumeric and can contain hyphen and underscores
Value validation failed
Set failed”
Every other site said “set vpn ipsec site-to-site peer [ip address]” but I can’t.
What should I do? Please help me!
It is a connection name, no real peer address
See the fail message. As syntax of the IPSec was migrated
set VPN ipsec site-to-site peer PEER-ONE remote-address 203.0.113.2
The example of config for 1.4 in our documentation
1 Like
Thank you for replying! And I can set the config.
I appriciate you to helping me.
However,next problem has occurred. After setting configs,I entered “show vpn ike sa” then realized State “down”.
Is this because there is a mistake somewhere in the configuration?
This is the current configuration diagram.
And there are vyrtr1 and 2 config below.
vyos@vyrtr1:~$ show configuration
interfaces {
ethernet eth0 {
address 10.1.1.1/24
description lan1
duplex auto
hw-id 08:00:27:d1:8f:15
speed auto
}
ethernet eth1 {
address 198.51.100.1/24
description wan1
duplex auto
hw-id 08:00:27:6a:99:9e
speed auto
}
ethernet eth2 {
address dhcp
duplex auto
hw-id 08:00:27:d2:b4:59
speed auto
}
loopback lo {
}
}
protocols {
static {
route 203.0.113.0/24 {
next-hop 198.51.100.3 {
}
}
}
}
service {
ssh {
}
}
vpn {
ipsec {
esp-group rtr1-esp {
lifetime 1800
mode tunnel
pfs enable
proposal 1 {
encryption aes256gcm128
hash sha512
}
}
ike-group rtr1-ike {
dead-peer-detection {
action restart
}
ikev2-reauth yes
key-exchange ikev2
lifetime 3600
proposal 1 {
dh-group 26
encryption aes256gcm128
hash sha512
}
}
ipsec-interfaces {
interface eth1
}
site-to-site {
peer vyrtr2 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
remote-id 203.0.113.2
}
connection-type respond
ike-group rtr1-ike
ikev2-reauth inherit
local-address 198.51.100.1
tunnel 0 {
esp-group rtr1-esp
local {
prefix 10.1.1.0/24
}
remote {
prefix 10.2.2.0/24
}
}
}
}
}
}
vyos@vyrtr2:~$ show configuration
interfaces {
ethernet eth0 {
address 10.2.2.2/24
description lan2
duplex auto
hw-id 08:00:27:ec:d6:2e
speed auto
}
ethernet eth1 {
address 203.0.113.2/24
description wan2
duplex auto
hw-id 08:00:27:d6:aa:41
speed auto
}
ethernet eth2 {
address dhcp
description for-ssh
duplex auto
hw-id 08:00:27:3e:b5:78
speed auto
}
loopback lo {
}
}
protocols {
static {
route 198.51.100.0/24 {
next-hop 203.0.113.3 {
}
}
}
}
service {
ssh {
}
}
vpn {
ipsec {
esp-group rtr2-esp {
lifetime 1800
mode tunnel
pfs enable
proposal 1 {
encryption aes256gcm128
hash sha512
}
}
ike-group rtr2-ike {
dead-peer-detection {
action restart
}
ikev2-reauth yes
key-exchange ikev2
lifetime 3600
proposal 1 {
dh-group 26
encryption aes256gcm128
hash sha512
}
}
interface eth1
site-to-site {
peer vyrtr1 {
authentication {
local-id 203.0.113.2
mode pre-shared-secret
pre-shared-secret ****************
remote-is 198.51.100.1
}
connection-type initiate
ike-group rtr2-ike
ikev2-reauth inherit
local-address 203.0.113.2
remote-address 198.51.100.1
tunnel 0 {
esp-group rtr2-esp
local {
prefix 10.2.2.0/24
}
remote {
prefix 10.1.1.0/24
}
}
}
}
}
}
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.
Can you please add the remote-address parameter in the first shared router configuration as well:
set vpn ipsec site-to-site peer vyrtr2 remote-address x.x.x.x
If the connection is down, try a restart of the vpn service:
restart vpn
Else you can share the logs: sudo journalctl -b --since “1 week ago” /usr/lib/ipsec/charon | tee
1 Like