Configuration to create an AWS inter region VPN

I have created on AWS MYAPP_VPC on US-EAST-2 (Ohio) with AWS VPG+CG and another Vyos_VPC on US-EAST-1,trying to make a site to site IPSEC tunnel , to simulate my customer use case

I have downloaded the VPN confuiguration file from AWS VPN on MY_APP VPC(US-EAST-2 ) and configured VYOS instance running on VYOS_VPC (US-EAST-1).

But , when running this cmd…“run show vpn ipsec sa”
i see my peers connections state is “down” and also on AWS side i see the tunnel state is DOWN and IPSec is DOWN.

Please Can someone help me to debug and fix this issue.
Please let me know what information are required from me to resolve this issue.
FYI… i followed this link" https://github.com/mboret/aws-vyos" but configuration i did it manually ,instead of using the python script (which is mentioned on the link).
Thanks in Advance!!!

Hello @VikramS .
Can you provide vpn configuration and commands?

show configuration commands | match vpn
sh log vpn ipsec | tail -n 50
show ip route

1 Like
 vyos@ip-10-0-1-223:~$ show vpn ipsec sa
Connection                    State    Up    Bytes In/Out    Remote address    Remote ID    Proposal
----------------------------  -------  ----  --------------  ----------------  -----------  ----------
peer-18.x.x.0-tunnel-vti   down     N/A   N/A             N/A               N/A          N/A
peer-52.x.x.44-tunnel-vti  down     N/A   N/A             N/A               N/A          N/A
vyos@ip-10-0-1-223:~$ show configuration commands | match vpn
set vpn ipsec esp-group AWS compression 'disable'
set vpn ipsec esp-group AWS lifetime '3600'
set vpn ipsec esp-group AWS mode 'tunnel'
set vpn ipsec esp-group AWS pfs 'enable'
set vpn ipsec esp-group AWS proposal 1 encryption 'aes128'
set vpn ipsec esp-group AWS proposal 1 hash 'sha1'
set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
set vpn ipsec ike-group AWS dead-peer-detection interval '15'
set vpn ipsec ike-group AWS dead-peer-detection timeout '30'
set vpn ipsec ike-group AWS ikev2-reauth 'no'
set vpn ipsec ike-group AWS key-exchange 'ikev1'
set vpn ipsec ike-group AWS lifetime '28800'
set vpn ipsec ike-group AWS proposal 1 dh-group '2'
set vpn ipsec ike-group AWS proposal 1 encryption 'aes128'
set vpn ipsec ike-group AWS proposal 1 hash 'sha1'
set vpn ipsec ike-group AWS proposal 2 dh-group '2'
set vpn ipsec ike-group AWS proposal 2 encryption 'aes128'
set vpn ipsec ike-group AWS proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 18.x.x.0 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 18.x.x.0 authentication pre-shared-secret '*****'
set vpn ipsec site-to-site peer 18.x.x.0 connection-type 'initiate'
set vpn ipsec site-to-site peer 18.x.x.0 description 'VPC tunnel 1'
set vpn ipsec site-to-site peer 18.x.x.0 ike-group 'AWS'
set vpn ipsec site-to-site peer 18.x.x.0 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 18.x.x.0 local-address '54.x.x.183'
set vpn ipsec site-to-site peer 18.x.x.0 vti bind 'vti0'
set vpn ipsec site-to-site peer 18.x.x.0 vti esp-group 'AWS'
set vpn ipsec site-to-site peer 52.x.x.44 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 52.x.x.44 authentication pre-shared-secret '***'
set vpn ipsec site-to-site peer 52.x.x.44 connection-type 'initiate'
set vpn ipsec site-to-site peer 52.x.x.44 description 'VPC tunnel 2'
set vpn ipsec site-to-site peer 52.x.x.44 ike-group 'AWS'
set vpn ipsec site-to-site peer 52.x.x.44 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 52.x.x.44 local-address '54.x.x.183'
set vpn ipsec site-to-site peer 52.x.x.44 vti bind 'vti1'
set vpn ipsec site-to-site peer 52.x.x.44 vti esp-group 'AWS'
vyos@ip-10-0-1-223:~$ sh log vpn ipsec | tail -n 50
vyos@ip-10-0-1-223:~$
vyos@ip-10-0-1-223:~$
vyos@ip-10-0-1-223:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
      O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
      T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
      F - PBR, f - OpenFabric,
      > - selected route, * - FIB route
S>* 0.0.0.0/0 [210/0] via 10.0.1.1, eth0, 01:02:14
C>* 10.0.1.0/24 is directly connected, eth0, 01:02:14
vyos@ip-10-0-1-223:~$

So
local-address - local IP address for IPSec connection with this peer. If defined any, then an IP address which configured on interface with default route will be used;

54.x.x.183

It is not in your routing table.

For first step, try it with one tunnel
del vpn ipsec ipsec-interfaces interface 'eth1'
and use local-address as address of your eth0 interface (As far as I understand. 10.0.1.223)

set vpn ipsec esp-group AWS compression ‘disable’
set vpn ipsec esp-group AWS lifetime ‘3600’
set vpn ipsec esp-group AWS mode ‘tunnel’
set vpn ipsec esp-group AWS pfs ‘enable’
set vpn ipsec esp-group AWS proposal 1 encryption ‘aes128’
set vpn ipsec esp-group AWS proposal 1 hash ‘sha1’
set vpn ipsec ike-group AWS dead-peer-detection action ‘restart’
set vpn ipsec ike-group AWS dead-peer-detection interval ‘15’
set vpn ipsec ike-group AWS dead-peer-detection timeout ‘30’
set vpn ipsec ike-group AWS ikev2-reauth ‘no’
set vpn ipsec ike-group AWS key-exchange ‘ikev1’
set vpn ipsec ike-group AWS lifetime ‘28800’
set vpn ipsec ike-group AWS proposal 1 dh-group ‘2’
set vpn ipsec ike-group AWS proposal 1 encryption ‘aes128’
set vpn ipsec ike-group AWS proposal 1 hash ‘sha1’
set vpn ipsec ike-group AWS proposal 2 dh-group ‘2’
set vpn ipsec ike-group AWS proposal 2 encryption ‘aes128’
set vpn ipsec ike-group AWS proposal 2 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec ipsec-interfaces interface ‘eth1’
set vpn ipsec site-to-site peer 18.190.41.0 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 18.190.41.0 authentication pre-shared-secret ‘secret’
set vpn ipsec site-to-site peer 18.190.41.0 connection-type ‘initiate’
set vpn ipsec site-to-site peer 18.190.41.0 description ‘VPC tunnel 1’
set vpn ipsec site-to-site peer 18.190.41.0 ike-group ‘AWS’
set vpn ipsec site-to-site peer 18.190.41.0 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 18.190.41.0 local-address ‘54.163.128.183’
set vpn ipsec site-to-site peer 18.190.41.0 vti bind ‘vti0’
set vpn ipsec site-to-site peer 18.190.41.0 vti esp-group ‘AWS’
set vpn ipsec site-to-site peer 52.14.116.44 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 52.14.116.44 authentication pre-shared-secret ‘secret’
set vpn ipsec site-to-site peer 52.14.116.44 connection-type ‘initiate’
set vpn ipsec site-to-site peer 52.14.116.44 description ‘VPC tunnel 2’
set vpn ipsec site-to-site peer 52.14.116.44 ike-group ‘AWS’
set vpn ipsec site-to-site peer 52.14.116.44 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 52.14.116.44 local-address ‘54.163.128.183’
set vpn ipsec site-to-site peer 52.14.116.44 vti bind ‘vti1’
set vpn ipsec site-to-site peer 52.14.116.44 vti esp-group ‘AWS’

Hi @VikramS, please use <command> | stripe private for hide your config private information like pre-shared-secret. Also I recommend change pre-shared-secret now on your routers.