I’m happy to see support for DMVPN. I put my DMVPN hub in AWS so I’m forced to have my DMVPN hub behind a NAT device (1:1 static).
I followed the config here - http://vyos.net/wiki/DMVPN
However, I seem to be running into the problem that the spoke rejects the IKE negotiation because the peer ID is not what it expects (peer ID is the actual interface IP but it expects the NAT’ed address as the peer ID).
In the static site-to-site tunnel, I can specify the peer ID but in the DMVPN case I couldn’t figure out how to do that. Any idea?
This is the error i got from the spoke.
Dec 2 04:46:14 K2-Router-1 pluto[6585]: “192.168.199.2-to-192.168.199.1” #12: initiating Main Mode to replace #11
Dec 2 04:46:14 K2-Router-1 pluto[6585]: “192.168.199.2-to-192.168.199.1” #12: received Vendor ID payload [strongSwan]
Dec 2 04:46:14 K2-Router-1 pluto[6585]: “192.168.199.2-to-192.168.199.1” #12: ignoring Vendor ID payload [Cisco-Unity]
Dec 2 04:46:14 K2-Router-1 pluto[6585]: “192.168.199.2-to-192.168.199.1” #12: received Vendor ID payload [XAUTH]
Dec 2 04:46:14 K2-Router-1 pluto[6585]: “192.168.199.2-to-192.168.199.1” #12: received Vendor ID payload [Dead Peer Detection]
Dec 2 04:46:14 K2-Router-1 pluto[6585]: “192.168.199.2-to-192.168.199.1” #12: received Vendor ID payload [RFC 3947]
Dec 2 04:46:14 K2-Router-1 pluto[6585]: “192.168.199.2-to-192.168.199.1” #12: enabling possible NAT-traversal with method 3
Dec 2 04:46:14 K2-Router-1 pluto[6585]: “192.168.199.2-to-192.168.199.1” #12: NAT-Traversal: Result using RFC 3947: both are NATed
Dec 2 04:46:14 K2-Router-1 pluto[6585]: “192.168.199.2-to-192.168.199.1” #12: Peer ID is ID_IPV4_ADDR: ‘10.0.0.101’
Dec 2 04:46:14 K2-Router-1 pluto[6585]: “192.168.199.2-to-192.168.199.1” #12: we require peer to have ID ‘54.57.14.49’, but peer declares ‘10.0.0.101’
Dec 2 04:46:14 K2-Router-1 pluto[6585]: “192.168.199.2-to-192.168.199.1” #12: sending encrypted notification INVALID_ID_INFORMATION to 54.57.14.49:4500
Snippet of my hub config. The actual address assigned by AWS to the ether is 10.0.0.101. If I specify the local-ip to be anything other than 10.0.0.101 then I got the error that it cannot find the key “initial Main Mode message received on 10.0.0.101:4500 but no connection has been authorized with policy=PSK”
ethernet eth0 {
address dhcp
duplex auto
hw-id 06:9b:2b:61:87:8b
smp_affinity auto
speed auto
}
loopback lo {
}
tunnel tun0 {
address 192.168.199.1/24
encapsulation gre
ip {
ospf {
dead-interval 40
hello-interval 10
network broadcast
priority 1
retransmit-interval 5
transmit-delay 1
}
}
local-ip 0.0.0.0
multicast enable
parameters {
ip {
key 1
}
}
}
}