DMVPN hub behind 1:1 static NAT


#1

I’m happy to see support for DMVPN. I put my DMVPN hub in AWS so I’m forced to have my DMVPN hub behind a NAT device (1:1 static).

I followed the config here - http://vyos.net/wiki/DMVPN

However, I seem to be running into the problem that the spoke rejects the IKE negotiation because the peer ID is not what it expects (peer ID is the actual interface IP but it expects the NAT’ed address as the peer ID).

In the static site-to-site tunnel, I can specify the peer ID but in the DMVPN case I couldn’t figure out how to do that. Any idea?

This is the error i got from the spoke.

Dec 2 04:46:14 K2-Router-1 pluto[6585]: “192.168.199.2-to-192.168.199.1” #12: initiating Main Mode to replace #11
Dec 2 04:46:14 K2-Router-1 pluto[6585]: “192.168.199.2-to-192.168.199.1” #12: received Vendor ID payload [strongSwan]
Dec 2 04:46:14 K2-Router-1 pluto[6585]: “192.168.199.2-to-192.168.199.1” #12: ignoring Vendor ID payload [Cisco-Unity]
Dec 2 04:46:14 K2-Router-1 pluto[6585]: “192.168.199.2-to-192.168.199.1” #12: received Vendor ID payload [XAUTH]
Dec 2 04:46:14 K2-Router-1 pluto[6585]: “192.168.199.2-to-192.168.199.1” #12: received Vendor ID payload [Dead Peer Detection]
Dec 2 04:46:14 K2-Router-1 pluto[6585]: “192.168.199.2-to-192.168.199.1” #12: received Vendor ID payload [RFC 3947]
Dec 2 04:46:14 K2-Router-1 pluto[6585]: “192.168.199.2-to-192.168.199.1” #12: enabling possible NAT-traversal with method 3
Dec 2 04:46:14 K2-Router-1 pluto[6585]: “192.168.199.2-to-192.168.199.1” #12: NAT-Traversal: Result using RFC 3947: both are NATed
Dec 2 04:46:14 K2-Router-1 pluto[6585]: “192.168.199.2-to-192.168.199.1” #12: Peer ID is ID_IPV4_ADDR: ‘10.0.0.101’
Dec 2 04:46:14 K2-Router-1 pluto[6585]: “192.168.199.2-to-192.168.199.1” #12: we require peer to have ID ‘54.57.14.49’, but peer declares ‘10.0.0.101’
Dec 2 04:46:14 K2-Router-1 pluto[6585]: “192.168.199.2-to-192.168.199.1” #12: sending encrypted notification INVALID_ID_INFORMATION to 54.57.14.49:4500

Snippet of my hub config. The actual address assigned by AWS to the ether is 10.0.0.101. If I specify the local-ip to be anything other than 10.0.0.101 then I got the error that it cannot find the key “initial Main Mode message received on 10.0.0.101:4500 but no connection has been authorized with policy=PSK”

 ethernet eth0 {
     address dhcp
     duplex auto
     hw-id 06:9b:2b:61:87:8b
     smp_affinity auto
     speed auto
 }
 loopback lo {
 }
 tunnel tun0 {
     address 192.168.199.1/24
     encapsulation gre
     ip {
         ospf {
             dead-interval 40
             hello-interval 10
             network broadcast
             priority 1
             retransmit-interval 5
             transmit-delay 1
         }
     }
     local-ip 0.0.0.0
     multicast enable
     parameters {
         ip {
             key 1
         }
     }
 }

}


#2

Hey mojiman,

I’m working on the exact same issue as you. I found that setting the leftid= in the /etc/dmvpn.conf file fixed this issue for me. I’m still in the process of troubleshooting the tunnel end-to-end, but if this seems to be the permanent solution I’ll probably work on some code to add the peer ID authentication option to the vyos codebase so a reboot won’t lose the leftid.

If you’re running NAT on the spoke side too, I’ve found that leftid hasn’t been working for me – about to post a thread here for help from the wizards who be to see if they have any input.

Maybe between the two of us we can figure out how to get this up and running.