dmvpn ipsec tunnel no work ?

lawrence.pan · February 2, 2015, 10:53am

DMVPN ipsec tunnel no work ?

we are try do configure this http://vyos.net/wiki/DMVPN

but tunnel status is down and why create two tunnel ?

CLI Screen

vyos@spoke1:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP

2.2.2.1 1.1.1.1

Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto

tun0 down n/a n/a n/a no 0 3600 gre

Peer ID / IP Local ID / IP

0.0.0.0 1.1.1.1

Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto

tun0 down n/a n/a n/a no 0 1800 gre

vyos@spoke1:~$ show vpn ipsec status
IPSec Process Running PID: 3294

0 Active IPsec Tunnels

IPsec Interfaces :
eth0 (no IP on interface statically configured as local-ip for any VPN peer)

maybe ipsec vpn something configure is wrong …

vyos 1.1.1.3

Feb 2 18:46:10 spoke1 pluto[3294]: “172.31.255.2-to-172.31.255.1” #3: ignoring informational payload, type INVALID_MESSAGE_ID
Feb 2 18:46:30 spoke1 pluto[3294]: “172.31.255.2-to-172.31.255.1” #3: ignoring informational payload, type INVALID_MESSAGE_ID
Feb 2 18:47:10 spoke1 pluto[3294]: “172.31.255.2-to-172.31.255.1” #5: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Feb 2 18:47:10 spoke1 pluto[3294]: “172.31.255.2-to-172.31.255.1” #5: starting keying attempt 3 of at most 3
Feb 2 18:47:10 spoke1 pluto[3294]: “172.31.255.2-to-172.31.255.1” #6: initiating Quick Mode PSK+ENCRYPT+UP to replace #5 {using isakmp#3}
Feb 2 18:47:10 spoke1 pluto[3294]: “172.31.255.2-to-172.31.255.1” #3: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Feb 2 18:47:20 spoke1 pluto[3294]: “172.31.255.2-to-172.31.255.1” #3: ignoring informational payload, type INVALID_MESSAGE_ID
Feb 2 18:47:40 spoke1 pluto[3294]: “172.31.255.2-to-172.31.255.1” #3: ignoring informational payload, type INVALID_MESSAGE_ID
Feb 2 18:48:20 spoke1 pluto[3294]: “172.31.255.2-to-172.31.255.1” #6: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal

Unicron · February 2, 2015, 8:58pm

Please configure pfs in esp - group, it requires pfs (for now)
It is a bug.

http://bugzilla.vyos.net/show_bug.cgi?id=367

lawrence.pan · February 3, 2015, 3:56am

we are add enable pfs mode ,and set dhgroup-xxx , it is work . tunnel is up .

thank you !!

HUB:
add this command

set vpn ipsec esp-group ESP-HUB1 pfs 'dh-group14'

Spork:
add this command

set vpn ipsec esp-group ESP-HUB1-SPOKE1 pfs 'dh-group14'

support dmvpn dual hub single cloud ?

Unicron · February 3, 2015, 6:33pm

I do not know, I have to test.
If I figure it out I will update the wiki.

ankit.tekmindz · March 17, 2016, 7:47am

Peer ID / IP Local ID / IP

x.x.x.x x.x.x.x

Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
------  -----  -------------  -------  ----    -----  ------  ------  -----
0       up     0.0/0.0        aes256   sha1_96 no     1080    1800    all

vyos@vr-1:~$ show vpn ipsec st
state status
vyos@vr-1:~$ show vpn ipsec statt

Invalid command: show vpn ipsec [statt]

vyos@vr-1:~$ show vpn ipsec status
IPSec Process Running PID: 2765

0 Active IPsec Tunnels

IPsec Interfaces :
eth0 (x.x.x.x)
can please help me what is the issue

lawrence.pan · March 20, 2016, 12:10pm

ankit.tekmindz:

Peer ID / IP Local ID / IP

x.x.x.x x.x.x.x
Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
------  -----  -------------  -------  ----    -----  ------  ------  -----
0       up     0.0/0.0        aes256   sha1_96 no     1080    1800    all
vyos@vr-1:~$ show vpn ipsec st
state status
vyos@vr-1:~$ show vpn ipsec statt

Invalid command: show vpn ipsec [statt]

vyos@vr-1:~$ show vpn ipsec status
IPSec Process Running PID: 2765

0 Active IPsec Tunnels

IPsec Interfaces :
eth0 (x.x.x.x)
can please help me what is the issue

Can show you configure ?