Hello
I am testing IPSEC VTI Tunnel communication between the Cisco router and Vyos VM:
Configuration Cisco
crypto ikev2 proposal vyos-ikev2-proposal
encryption aes-gcm-256
prf sha256
group 14
!
crypto ikev2 policy vyos-ikev2-policy
match address local 192.168.251.3
proposal vyos-ikev2-proposal
!
crypto ikev2 profile vyos-ikev2-profile
match identity remote address 192.168.251.1 255.255.255.255
authentication local pre-share key vyostocisco
authentication remote pre-share key vyostocisco
dpd 30 15 periodic
!
crypto ipsec transform-set vyos_transform esp-gcm 256
mode tunnel
!
!
crypto ipsec profile vyos_ipsec
set transform-set vyos_transform
set ikev2-profile vyos-ikev2-profile
!
!
interface Tunnel1000
description test VPN Tunnel to VyOS test
ip address 172.31.250.1 255.255.255.252
tunnel source 192.168.251.3
tunnel mode ipsec ipv4
tunnel destination 192.168.251.1
tunnel protection ipsec profile vyos_ipsec
VyoS configuration
set interfaces ethernet eth4 address ‘10.0.250.1/24’
set interfaces ethernet eth4 hw-id ‘50:00:00:12:00:01’
set interfaces ethernet eth5 address ‘10.113.112.101/24’
set interfaces ethernet eth5 hw-id ‘50:00:00:12:00:00’
set interfaces ethernet eth6 hw-id ‘50:00:00:12:00:02’
set interfaces ethernet eth7 hw-id ‘50:00:00:12:00:03’
set interfaces loopback lo
set interfaces vti vti0 address ‘192.168.128.237/30’
set policy route MSS-CLAMP rule 10 protocol ‘tcp’
set policy route MSS-CLAMP rule 10 set tcp-mss ‘1400’
set policy route MSS-CLAMP rule 10 tcp flags ‘SYN’
set protocols static route 0.0.0.0/0 next-hop 10.113.112.1
set protocols static route 10.232.0.0/16 next-hop 192.168.128.238
set protocols static route 192.168.120.17/32 next-hop 192.168.128.238
set service ssh port ‘22’
set system config-management commit-revisions ‘100’
set system console device ttyS0 speed ‘115200’
set system host-name ‘vyos’
set system login user vyos authentication encrypted-password ‘$6$xsFVZFpZkHuL$RbQGug1kCvfxyAPkTkAHPieqp5IXJvWIK1N7n4NGpVAqv0EjxQkwH9m0zxyZo7aoSkYwm3/1gig/4EAYL6N93.’
set system login user vyos authentication plaintext-password ‘’
set system syslog global facility daemon level ‘notice’
set system syslog global facility protocols level ‘all’
set vpn ipsec esp-group ESP_TO_CISCO compression ‘disable’
set vpn ipsec esp-group ESP_TO_CISCO lifetime ‘3600’
set vpn ipsec esp-group ESP_TO_CISCO mode ‘tunnel’
set vpn ipsec esp-group ESP_TO_CISCO pfs ‘dh-group14’
set vpn ipsec esp-group ESP_TO_CISCO proposal 1 encryption ‘aes256gcm128’
set vpn ipsec esp-group ESP_TO_CISCO proposal 1 hash ‘sha256’
set vpn ipsec ike-group IKE_TO_CISCO close-action ‘none’
set vpn ipsec ike-group IKE_TO_CISCO dead-peer-detection action ‘restart’
set vpn ipsec ike-group IKE_TO_CISCO dead-peer-detection interval ‘15’
set vpn ipsec ike-group IKE_TO_CISCO dead-peer-detection timeout ‘30’
set vpn ipsec ike-group IKE_TO_CISCO ikev2-reauth ‘yes’
set vpn ipsec ike-group IKE_TO_CISCO key-exchange ‘ikev2’
set vpn ipsec ike-group IKE_TO_CISCO lifetime ‘28800’
set vpn ipsec ike-group IKE_TO_CISCO proposal 1 dh-group ‘14’
set vpn ipsec ike-group IKE_TO_CISCO proposal 1 encryption ‘aes256gcm128’
set vpn ipsec ike-group IKE_TO_CISCO proposal 1 hash ‘sha256’
set vpn ipsec ipsec-interfaces interface ‘eth5’
set vpn ipsec site-to-site peer 192.168.138.106 authentication id ‘10.113.112.101’
set vpn ipsec site-to-site peer 192.168.138.106 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 192.168.138.106 authentication pre-shared-secret ‘vyostocisco’
set vpn ipsec site-to-site peer 192.168.138.106 authentication remote-id ‘192.168.138.106’
set vpn ipsec site-to-site peer 192.168.138.106 connection-type ‘initiate’
set vpn ipsec site-to-site peer 192.168.138.106 default-esp-group ‘ESP_TO_CISCO’
set vpn ipsec site-to-site peer 192.168.138.106 ike-group ‘IKE_TO_CISCO’
set vpn ipsec site-to-site peer 192.168.138.106 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 192.168.138.106 local-address ‘10.113.112.101’
set vpn ipsec site-to-site peer 192.168.138.106 vti bind ‘vti0’
set vpn ipsec site-to-site peer 192.168.138.106 vti esp-group ‘ESP_TO_CISCO’
It works ok, but after some time of no traffic through the Tunnel, no new traffic can go through the Tunnel, unless restarted on Vyos site by “reset vpn ipsec peer” command.
Is there something I did wrong in the configuration?
Please advice
Best regards