DMVPN using wrong IKE proposal

Chris735 · January 15, 2021, 11:05pm

I just set up two vyos router for DMVPN with the documented guide, but I’m unable to get the VPN up because of a seemingly proposal mismatch.

Both proposals in the config are the same, but the charon always uses proposals I don’t even have configured. See the log of the hub below.

Both routers are running version 1.2.6-S1.

Jan 15 23:50:48 vpngw01 charon[2789]: 10[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jan 15 23:50:48 vpngw01 charon[2789]: 10[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

This is the configured IKE and ESP Proposal on the Hub:

esp-group ESP-HUB {
compression disable
lifetime 28800
mode tunnel
pfs dh-group14
proposal 1 {
encryption aes128
hash sha1
}
proposal 2 {
encryption aes256
hash sha256
}
}
ike-group IKE-HUB {
close-action none
ikev2-reauth no
key-exchange ikev1
lifetime 3600
proposal 1 {
dh-group 14
encryption aes128
hash sha1
}
proposal 2 {
dh-group 14
encryption aes256
hash sha256
}
}

Any ideas what could cause this issue?

Dmitry · January 16, 2021, 7:21am

Hello @Chris735, can you share with me, what exactly manual are you using?
I am wondering, why do you use mode tunnel but not transport.
Can you provide an output of the commands from both routers?

show configuration commands | match vpn

Chris735 · January 16, 2021, 10:43am

Hello @Dmitry , thanks for your reply!
I’m using the configuration example from: https://docs.vyos.io/en/crux/appendix/examples/dmvpn.html

I only changed the encryption, hash and lifetime in the ESP and IKE groups. Both are binded to the tunnel interface tun0 and should match.

Here’s the output of both routers:

Hub

set vpn ipsec esp-group ESP compression ‘disable’
set vpn ipsec esp-group ESP lifetime ‘3600’
set vpn ipsec esp-group ESP mode ‘transport’
set vpn ipsec esp-group ESP pfs ‘enable’
set vpn ipsec esp-group ESP proposal 1 encryption ‘aes256’
set vpn ipsec esp-group ESP proposal 1 hash ‘sha1’
> set vpn ipsec esp-group ESP-HUB compression 'disable’
> set vpn ipsec esp-group ESP-HUB lifetime '28800’
> set vpn ipsec esp-group ESP-HUB mode 'tunnel’
> set vpn ipsec esp-group ESP-HUB pfs 'dh-group14’
> set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes128’
> set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1’
> set vpn ipsec esp-group ESP-HUB proposal 2 encryption 'aes256’
> set vpn ipsec esp-group ESP-HUB proposal 2 hash 'sha256’
set vpn ipsec esp-group ESP_AES256_SHA256 compression ‘disable’
set vpn ipsec esp-group ESP_AES256_SHA256 lifetime ‘3600’
set vpn ipsec esp-group ESP_AES256_SHA256 mode ‘transport’
set vpn ipsec esp-group ESP_AES256_SHA256 pfs ‘dh-group14’
set vpn ipsec esp-group ESP_AES256_SHA256 proposal 1 encryption ‘aes256’
set vpn ipsec esp-group ESP_AES256_SHA256 proposal 1 hash ‘sha256’
set vpn ipsec ike-group IKE close-action ‘none’
set vpn ipsec ike-group IKE ikev2-reauth ‘no’
set vpn ipsec ike-group IKE key-exchange ‘ikev2’
set vpn ipsec ike-group IKE lifetime ‘28800’
set vpn ipsec ike-group IKE proposal 1 dh-group ‘14’
set vpn ipsec ike-group IKE proposal 1 encryption ‘aes256’
set vpn ipsec ike-group IKE proposal 1 hash ‘sha1’
> set vpn ipsec ike-group IKE-HUB close-action 'none’
> set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no’
> set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1’
> set vpn ipsec ike-group IKE-HUB lifetime '3600’
> set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '14’
> set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes128’
> set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1’
> set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '14’
> set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes256’
> set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha256’
set vpn ipsec ike-group IKE_AES256_SHA256 close-action ‘none’
set vpn ipsec ike-group IKE_AES256_SHA256 dead-peer-detection action ‘restart’
set vpn ipsec ike-group IKE_AES256_SHA256 dead-peer-detection interval ‘30’
set vpn ipsec ike-group IKE_AES256_SHA256 dead-peer-detection timeout ‘120’
set vpn ipsec ike-group IKE_AES256_SHA256 ikev2-reauth ‘no’
set vpn ipsec ike-group IKE_AES256_SHA256 key-exchange ‘ikev2’
set vpn ipsec ike-group IKE_AES256_SHA256 lifetime ‘28800’
set vpn ipsec ike-group IKE_AES256_SHA256 proposal 1 dh-group ‘14’
set vpn ipsec ike-group IKE_AES256_SHA256 proposal 1 encryption ‘aes256’
set vpn ipsec ike-group IKE_AES256_SHA256 proposal 1 hash ‘sha256’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal ‘enable’
> set vpn ipsec profile DMVPN authentication mode 'pre-shared-secret’
> set vpn ipsec profile DMVPN authentication pre-shared-secret '’
> set vpn ipsec profile DMVPN bind tunnel 'tun0’
> set vpn ipsec profile DMVPN esp-group 'ESP-HUB’
> set vpn ipsec profile DMVPN ike-group 'IKE-HUB’
set vpn ipsec site-to-site peer ****** authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer ****** authentication pre-shared-secret '****’
set vpn ipsec site-to-site peer ****** authentication remote-id ‘192.168.2.2’
set vpn ipsec site-to-site peer ****** connection-type ‘initiate’
set vpn ipsec site-to-site peer ****** ike-group ‘IKE’
set vpn ipsec site-to-site peer ****** ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer ****** local-address ‘x.x.x.211’
set vpn ipsec site-to-site peer ****** tunnel 0 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer ****** tunnel 0 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer ****** tunnel 0 esp-group ‘ESP’
set vpn ipsec site-to-site peer ****** tunnel 0 local prefix ‘172.16.1.0/24’
set vpn ipsec site-to-site peer ****** tunnel 0 remote prefix ‘192.168.178.0/24’
set vpn ipsec site-to-site peer ****** tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer ****** tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer ****** tunnel 1 esp-group ‘ESP’
set vpn ipsec site-to-site peer ****** tunnel 1 local prefix ‘172.16.1.0/24’
set vpn ipsec site-to-site peer ****** tunnel 1 remote prefix ‘192.168.10.0/24’

Spoke

set vpn ipsec esp-group ESP-SPOKE compression ‘disable’
set vpn ipsec esp-group ESP-SPOKE lifetime ‘28800’
set vpn ipsec esp-group ESP-SPOKE mode ‘tunnel’
set vpn ipsec esp-group ESP-SPOKE pfs ‘dh-group14’
set vpn ipsec esp-group ESP-SPOKE proposal 1 encryption ‘aes128’
set vpn ipsec esp-group ESP-SPOKE proposal 1 hash ‘sha1’
set vpn ipsec esp-group ESP-SPOKE proposal 2 encryption ‘aes256’
set vpn ipsec esp-group ESP-SPOKE proposal 2 hash ‘sha256’
set vpn ipsec ike-group IKE-SPOKE close-action ‘none’
set vpn ipsec ike-group IKE-SPOKE ikev2-reauth ‘no’
set vpn ipsec ike-group IKE-SPOKE key-exchange ‘ikev1’
set vpn ipsec ike-group IKE-SPOKE lifetime ‘3600’
set vpn ipsec ike-group IKE-SPOKE proposal 1 dh-group ‘14’
set vpn ipsec ike-group IKE-SPOKE proposal 1 encryption ‘aes128’
set vpn ipsec ike-group IKE-SPOKE proposal 1 hash ‘sha1’
set vpn ipsec ike-group IKE-SPOKE proposal 2 dh-group ‘14’
set vpn ipsec ike-group IKE-SPOKE proposal 2 encryption ‘aes256’
set vpn ipsec ike-group IKE-SPOKE proposal 2 hash ‘sha256’
set vpn ipsec profile DMVPN authentication mode ‘pre-shared-secret’
set vpn ipsec profile DMVPN authentication pre-shared-secret ‘******’
set vpn ipsec profile DMVPN bind tunnel ‘tun0’
set vpn ipsec profile DMVPN esp-group ‘ESP-SPOKE’
set vpn ipsec profile DMVPN ike-group ‘IKE-SPOKE’

Dmitry · January 18, 2021, 1:56pm

Hello @Chris735, I tested your topology in our lab, and it works without issues on 1.2.6-S1. Did you build VyOS from source code? Can you provide an output of the command

show version

Chris735 · January 18, 2021, 8:06pm

Hello Dimitry,

I used the official 1.2.6-S1 build that I got from my Patreon pledge.
Here’s the output of show version:

Version: VyOS 1.2.6-S1
Release Train: crux

Built by: Sentrium S.L.
Built on: Sun 27 Sep 2020 09:55 UTC
Build UUID: 4a20b12e-2669-4670-975e-1f35cfb3548d
Build Commit ID: 706d01f247bb83

Architecture: x86_64
Boot via: installed image
System type: VMware guest

Hardware vendor: VMware, Inc.
Hardware model: VMware Virtual Platform
Hardware S/N: VMware-56 4d bf bf 69 f0 8c 99-c3 26 fb 98 7f 85 f6 15
Hardware UUID: 564dbfbf-69f0-8c99-c326-fb987f85f615

Copyright: VyOS maintainers and contributors

I already tried reinstalling the VM and importing the config. The issue still persists.
Only DMVPN seems to have the issue. My other configured Site to Site VPN works as intended.

I have tested my configuration on another router running 1.2.6-S1 the issue doesn’t seem to appear here. The DMVPN Tunnel establishes without any problems.

Dmitry · January 19, 2021, 6:17am

Hello @Chris735,

Do you have HUB or spoke behind the NAT?
Also, I’m not sure that CLI allows you to use transport mode for site-to-site connection if you configure tunnels. Try to set on HUB site:

set vpn ipsec esp-group ESP mode tunnel
set vpn ipsec esp-group ESP-HUB mode transport
commit

On Spoke site:

set vpn ipsec esp-group ESP-SPOKE mode transport
commit