Dual-Stack IPSEC VPN Tunnel VTI - IPv6 Destination Unreachable

mdpeterman · February 6, 2024, 2:31am

I have a site-to-site VPN tunnel setup between VyOS 1.4 RC3 and a Juniper SRX firewall. I’m binding to a VTI interface and have configured both a v4 and v6 address on the interface. V4 traffic is passing bi-directionally, however IPv6 traffic seems to be unidirectional - I can receive traffic from the SRX over the tunnel, but VyOS is showing the destination is unreachable - even though it is just the other side of the VTI P2P. Any idea how to get the traffic to be encapsulated on the VyOS side?

You can see that pings from the SRX (2602:XXX:9009::2) are received on the VTI interface, and the packet capture makes it seem like the ICMP echo requests are being placed on the tunnel, however ping is returning an destination unreachable (even though there is no response from the remote side as seen in the packet capture and the /64 is in the routing table). It seems like there is a valid route to the other side. Not sure where else to look.

$ ping 2602:XXX:9009::2
PING 2602:XXX:9009::2(2602:XXX:9009::2) 56 data bytes
From 2602:XXX:9009::1 icmp_seq=1 Destination unreachable: Address unreachable
From 2602:XXX:9009::1 icmp_seq=2 Destination unreachable: Address unreachable
From 2602:XXX:9009::1 icmp_seq=3 Destination unreachable: Address unreachable
From 2602:XXX:9009::1 icmp_seq=4 Destination unreachable: Address unreachable
From 2602:XXX:9009::1 icmp_seq=5 Destination unreachable: Address unreachable
^C
--- 2602:XXX:9009::2 ping statistics ---
5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 4133ms

$ sudo tcpdump -i vti1
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vti1, link-type RAW (Raw IP), snapshot length 262144 bytes
02:09:12.969960 IP 100.64.0.1 > 100.64.0.2: ICMP echo request, id 39803, seq 1, length 64
02:09:12.984391 IP 100.64.0.2 > 100.64.0.1: ICMP echo reply, id 39803, seq 1, length 64
02:09:13.971592 IP 100.64.0.1 > 100.64.0.2: ICMP echo request, id 39803, seq 2, length 64
02:09:13.987230 IP 100.64.0.2 > 100.64.0.1: ICMP echo reply, id 39803, seq 2, length 64
02:09:14.973410 IP 100.64.0.1 > 100.64.0.2: ICMP echo request, id 39803, seq 3, length 64
02:09:14.988299 IP 100.64.0.2 > 100.64.0.1: ICMP echo reply, id 39803, seq 3, length 64
02:09:15.974628 IP 100.64.0.1 > 100.64.0.2: ICMP echo request, id 39803, seq 4, length 64
02:09:15.989096 IP 100.64.0.2 > 100.64.0.1: ICMP echo reply, id 39803, seq 4, length 64
02:09:33.966991 IP6 2602:XXX:9009::1 > 2602:XXX:9009::2: ICMP6, echo request, id 59006, seq 1, length 64
02:09:35.028110 IP6 2602:XXX:9009::1 > 2602:XXX:9009::2: ICMP6, echo request, id 59006, seq 2, length 64
02:09:36.051851 IP6 2602:XXX:9009::1 > 2602:XXX:9009::2: ICMP6, echo request, id 59006, seq 3, length 64
02:09:37.076072 IP6 2602:XXX:9009::1 > 2602:XXX:9009::2: ICMP6, echo request, id 59006, seq 4, length 64
02:09:38.099832 IP6 2602:XXX:9009::1 > 2602:XXX:9009::2: ICMP6, echo request, id 59006, seq 5, length 64
02:11:04.379633 IP6 2602:XXX:9009::2 > 2602:XXX:9009::1: ICMP6, echo request, id 19045, seq 0, length 16
02:11:04.383532 IP6 2602:XXX:9009::2 > 2602:XXX:9009::1: ICMP6, echo request, id 19045, seq 1, length 16
02:11:05.380419 IP6 2602:XXX:9009::2 > 2602:XXX:9009::1: ICMP6, echo request, id 19045, seq 2, length 16
02:11:06.379385 IP6 2602:XXX:9009::2 > 2602:XXX:9009::1: ICMP6, echo request, id 19045, seq 3, length 16
02:11:07.380227 IP6 2602:XXX:9009::2 > 2602:XXX:9009::1: ICMP6, echo request, id 19045, seq 4, length 16
02:11:08.379484 IP6 2602:XXX:9009::2 > 2602:XXX:9009::1: ICMP6, echo request, id 19045, seq 5, length 16
02:11:13.972279 IP6 2602:XXX:9009::2 > 2602:XXX:9009::1: ICMP6, echo request, id 19052, seq 0, length 16
02:11:13.978314 IP6 2602:XXX:9009::2 > 2602:XXX:9009::1: ICMP6, echo request, id 19052, seq 1, length 16
02:11:14.973556 IP6 2602:XXX:9009::2 > 2602:XXX:9009::1: ICMP6, echo request, id 19052, seq 2, length 16
02:11:15.974995 IP6 2602:XXX:9009::2 > 2602:XXX:9009::1: ICMP6, echo request, id 19052, seq 3, length 16
02:11:16.972923 IP6 2602:XXX:9009::2 > 2602:XXX:9009::1: ICMP6, echo request, id 19052, seq 4, length 16

$ show ipv6 route
Codes: K - kernel route, C - connected, S - static, R - RIPng,
       O - OSPFv3, I - IS-IS, B - BGP, N - NHRP, T - Table,
       v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

C>* 2602:XXX:9009::/64 is directly connected, vti1, 02:16:07
C * fe80::/64 is directly connected, eth0, 02:16:06
C * fe80::/64 is directly connected, vti1, 02:16:07
C>* fe80::/64 is directly connected, lo, 02:16:08

$ show configuration commands
set interfaces ethernet eth0 address '144.x.x.177/23'
set interfaces loopback lo
set interfaces vti vti1 address '100.64.0.1/30'
set interfaces vti vti1 address '2602:XXX:9009::1/64'
set interfaces vti vti1 mtu '1400'
set protocols static route 0.0.0.0/0 next-hop 144.x.x.1
set service ntp server time1.vyos.net
set service ntp server time2.vyos.net
set service ntp server time3.vyos.net
set service ssh port '22'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '115200'
set system host-name 'usdal2-test-gw'
set system syslog global facility all level 'info'
set system syslog global facility local7 level 'debug'
set vpn ipsec authentication psk USPFV1-SL id '74.x.x.47'
set vpn ipsec authentication psk USPFV1-SL id '144.x.x.177'
set vpn ipsec authentication psk USPFV1-SL secret 'xxxxxxxxxxxxxx'
set vpn ipsec esp-group JAA lifetime '3600'
set vpn ipsec esp-group JAA mode 'tunnel'
set vpn ipsec esp-group JAA pfs 'dh-group14'
set vpn ipsec esp-group JAA proposal 1 encryption 'aes256'
set vpn ipsec esp-group JAA proposal 1 hash 'sha256'
set vpn ipsec ike-group JAA close-action 'none'
set vpn ipsec ike-group JAA dead-peer-detection action 'restart'
set vpn ipsec ike-group JAA dead-peer-detection interval '15'
set vpn ipsec ike-group JAA dead-peer-detection timeout '30'
set vpn ipsec ike-group JAA key-exchange 'ikev1'
set vpn ipsec ike-group JAA lifetime '28800'
set vpn ipsec ike-group JAA proposal 1 dh-group '14'
set vpn ipsec ike-group JAA proposal 1 encryption 'aes256'
set vpn ipsec ike-group JAA proposal 1 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec options
set vpn ipsec site-to-site peer USPFV1-SL authentication local-id '144.x.x.177'
set vpn ipsec site-to-site peer USPFV1-SL authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer USPFV1-SL authentication remote-id '74.x.x.47'
set vpn ipsec site-to-site peer USPFV1-SL ike-group 'JAA'
set vpn ipsec site-to-site peer USPFV1-SL local-address '144.x.x.177'
set vpn ipsec site-to-site peer USPFV1-SL remote-address '74.x.x.47'
set vpn ipsec site-to-site peer USPFV1-SL vti bind 'vti1'
set vpn ipsec site-to-site peer USPFV1-SL vti esp-group 'JAA'

giga1699 · February 6, 2024, 3:00am

Do you have the SRX set to flow based for V6?

https://supportportal.juniper.net/s/article/How-to-ping-the-IPV6-interface-on-SRX?language=en_US

mdpeterman · February 6, 2024, 3:29am

Oh yes. V6 routing is working fine on the SRX. I have other tunnels with v6 and BGP working on the SRX. Just trying to get v6 working over this IPSEC tunnel. You can see the echo requests from the SRX making it to VyOS over the tunnel, but VyOS seems to think v6 over the tunnel is unreachable.
I’ll try to do a packet capture on the SRX side of the tunnel but I suspect it’s not receiving any v6 traffic from VyOS.

mdpeterman · February 6, 2024, 3:45am

I guess Juniper doesn’t support packet captures on tunnel interfaces. Gah

Anyways ipv6 flow is enabled and other IPv6 stuff is working fine on the SRX side.

show security flow status
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: flow based
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
    Tap mode: disabled (default)
    Enhanced route scaling mode: Disabled
  Flow trace status
    Flow tracing status: off
  Flow session distribution
    Distribution mode: RR-based
    GTP-U distribution: Disabled
    SCTP distribution: Enabled
  Flow ipsec performance acceleration: off
  Flow packet ordering
    Ordering mode: Hardware
  Flow power mode IPsec: Disabled
  Fat core group status: off
  Flow inline fpga crypto: Disabled

mdpeterman · February 9, 2024, 11:22pm

Got it sorted. Issue was Juniper was not liking VyOS including ::/0 in the SA - I guess Junos doesn’t support multiple prefixes in the SA. I was able to create a JUNOS config that has 2 SAs to a single VyOS IKE gateway. So one site-to-site tunnel configured on the VyOS side and 2 SAs configured on the juniper side, one with a traffic selector of 0.0.0.0/0 and one with ::/0. Putting a sample JUNOS config below for others to reference if they encounter this in the future.

set security zones security-zone untrust interfaces st0.2
set security zones security-zone untrust interfaces st0.3
set interfaces st0 unit 2 family inet address 100.66.0.1/31
set interfaces st0 unit 3 family inet6 address 2001:db9::2/64
set security ipsec proposal FOO-VPN protocol esp
set security ipsec proposal FOO-VPN authentication-algorithm hmac-sha1-96
set security ipsec proposal FOO-VPN encryption-algorithm aes-256-cbc
set security ipsec proposal FOO-VPN lifetime-seconds 3600
set security ipsec policy FOO-VPN perfect-forward-secrecy keys group2
set security ipsec policy FOO-VPN proposals FOO-VPN
set security ike proposal FOO-VPN authentication-method pre-shared-keys
set security ike proposal FOO-VPN dh-group group2
set security ike proposal FOO-VPN encryption-algorithm aes-256-cbc
set security ike proposal FOO-VPN authentication-algorithm sha1
set security ike proposal FOO-VPN lifetime-seconds 28800
set security ike policy FOO-VPN proposals FOO-VPN
set security ike policy FOO-VPN pre-shared-key ascii-text #####
set security ike gateway FOO-VPN address 10.20.30.40
set security ike gateway FOO-VPN external-interface ae0.50
set security ike gateway FOO-VPN version v2-only
set security ike gateway FOO-VPN ike-policy FOO-VPN
set security ipsec vpn FOO-VPN ike gateway FOO-VPN
set security ipsec vpn FOO-VPN ike ipsec-policy FOO-VPN
set security ipsec vpn FOO-VPN bind-interface st0.2
set security ipsec vpn FOO-VPN ike gateway FOO-VPN
set security ipsec vpn FOO-VPN ike proxy-identity local 0.0.0.0/0
set security ipsec vpn FOO-VPN ike proxy-identity remote 0.0.0.0/0
set security ipsec vpn FOO-VPN ike ipsec-policy FOO-VPN
set security ipsec vpn FOO-VPN establish-tunnels immediately
set security ipsec vpn FOO-VPNv6 ike gateway FOO-VPN
set security ipsec vpn FOO-VPNv6 ike ipsec-policy FOO-VPN
set security ipsec vpn FOO-VPNv6 bind-interface st0.3
set security ipsec vpn FOO-VPNv6 ike gateway FOO-VPN
set security ipsec vpn FOO-VPNv6 ike proxy-identity local ::/0
set security ipsec vpn FOO-VPNv6 ike proxy-identity remote ::/0
set security ipsec vpn FOO-VPNv6 ike ipsec-policy FOO-VPN
set security ipsec vpn FOO-VPNv6 establish-tunnels immediately