Hi All,
Am trying to setup a spoke behind a NAT router that handles the PPPOE authentication. The Hub does its own NAT and has public IP on the interface where the spoke has a 192.168.16.100/24 address. It seems that the spoke is able to setup the tunnel but breaks instantly. The spokes that has public IP on the WAN thus doesnt traverse NAT works without a problem…so am not sure what is going on. Here the following errors when doing ipsec debug:
VPN-IPSEC: 07[IKE] <dmvpn-NHRPVPN-tun0|52> initiating Main Mode IKE_SA dmvpn-NHRPVPN-tun0[52] to WAN_IP_HUB
VPN-IPSEC: 07[ENC] <dmvpn-NHRPVPN-tun0|52> generating ID_PROT request 0 [ SA V V V V V ]
VPN-IPSEC: 07[NET] <dmvpn-NHRPVPN-tun0|52> sending packet: from 192.168.16.100[500] to WAN_IP_HUB[500] (184 bytes)
VPN-IPSEC: 09[NET] <dmvpn-NHRPVPN-tun0|52> received packet: from WAN_IP_HUB[500] to 192.168.16.100[500] (164 bytes)
VPN-IPSEC: 09[ENC] <dmvpn-NHRPVPN-tun0|52> parsed ID_PROT response 0 [ SA V V V V ]
VPN-IPSEC: 09[IKE] <dmvpn-NHRPVPN-tun0|52> received XAuth vendor ID
VPN-IPSEC: 09[IKE] <dmvpn-NHRPVPN-tun0|52> received DPD vendor ID
VPN-IPSEC: 09[IKE] <dmvpn-NHRPVPN-tun0|52> received FRAGMENTATION vendor ID
VPN-IPSEC: 09[IKE] <dmvpn-NHRPVPN-tun0|52> received NAT-T (RFC 3947) vendor ID
VPN-IPSEC: 09[CFG] <dmvpn-NHRPVPN-tun0|52> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
VPN-IPSEC: 09[ENC] <dmvpn-NHRPVPN-tun0|52> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
VPN-IPSEC: 09[NET] <dmvpn-NHRPVPN-tun0|52> sending packet: from 192.168.16.100[500] to WAN_IP_HUB[500] (652 bytes)
VPN-IPSEC: 07[NET] <dmvpn-NHRPVPN-tun0|52> received packet: from WAN_IP_HUB[500] to 192.168.16.100[500] (652 bytes)
VPN-IPSEC: 07[ENC] <dmvpn-NHRPVPN-tun0|52> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
VPN-IPSEC: 07[IKE] <dmvpn-NHRPVPN-tun0|52> local host is behind NAT, sending keep alives
VPN-IPSEC: 07[ENC] <dmvpn-NHRPVPN-tun0|52> generating ID_PROT request 0 [ ID HASH ]
VPN-IPSEC: 07[NET] <dmvpn-NHRPVPN-tun0|52> sending packet: from 192.168.16.100[4500] to WAN_IP_HUB[4500] (92 bytes)
VPN-IPSEC: 16[NET] <dmvpn-NHRPVPN-tun0|52> received packet: from WAN_IP_HUB[4500] to 192.168.16.100[4500] (92 bytes)
VPN-IPSEC: 16[ENC] <dmvpn-NHRPVPN-tun0|52> parsed ID_PROT response 0 [ ID HASH ]
VPN-IPSEC: 16[IKE] <dmvpn-NHRPVPN-tun0|52> IKE_SA dmvpn-NHRPVPN-tun0[52] established between 192.168.16.100[192.168.16.100]…WAN_IP_HUB[WAN_IP_HUB]
VPN-IPSEC: 16[IKE] <dmvpn-NHRPVPN-tun0|52> scheduling rekeying in 78903s
VPN-IPSEC: 16[IKE] <dmvpn-NHRPVPN-tun0|52> maximum IKE_SA lifetime 87543s
VPN-IPSEC: 16[ENC] <dmvpn-NHRPVPN-tun0|52> generating QUICK_MODE request 419441650 [ HASH SA No KE ID ID ]
VPN-IPSEC: 16[NET] <dmvpn-NHRPVPN-tun0|52> sending packet: from 192.168.16.100[4500] to WAN_IP_HUB[4500] (700 bytes)
VPN-IPSEC: 07[NET] <dmvpn-NHRPVPN-tun0|52> received packet: from WAN_IP_HUB[4500] to 192.168.16.100[4500] (92 bytes)
VPN-IPSEC: 07[ENC] <dmvpn-NHRPVPN-tun0|52> parsed INFORMATIONAL_V1 request 3920800677 [ HASH N(INVAL_ID) ]
VPN-IPSEC: 07[IKE] <dmvpn-NHRPVPN-tun0|52> received INVALID_ID_INFORMATION error notify
VPN-IPSEC: 09[IKE] <dmvpn-NHRPVPN-tun0|55> sending keep alive to WAN_IP_HUB[4500]
VPN-IPSEC: 11[NET] <dmvpn-NHRPVPN-tun0|55> received packet: from WAN_IP_HUB[4500] to 192.168.16.100[4500] (108 bytes)
Hope someone is able to point me out to the right direction so i can makes this work.
All nodes running VyOS 1.3.0-rc6.
Thanks!