Facing this issue with site-to-site IPsec vpn

General questions
1

Hi Team,

I am facing the below issue with 1.2.6 and keen to know if I am missing anything? I am setting up simple site-to-site ipsec vpn between R7 and R8.
My prefixes are 192.168.47.0/24 from R7 end and 192.168.42.0/24 from R8 end

I have default gateway added on R6 and R9 pointing to R7 and R8 respectively.

vyos@**R6**:~$ show ip route  static
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued route, r - rejected route

S>* 0.0.0.0/0 [1/0] via 10.10.20.49, eth1, 00:47:29

Now my tunnels at R7 and R8 are up
However when I try to ping from 192.168.47.48 to 192.168.42.48 my R7 says destination net un rechable.
Am I missing anything here? if local-prefixes are not directly attached to ipsec routers do we need to add any routes?

prefixes-not-locally-attached
prefixes-not-locally-attached1280×720 39.5 KB

Here is my R7 config

set vpn ipsec esp-group ESPG compression 'disable'
set vpn ipsec esp-group ESPG lifetime '3600'
set vpn ipsec esp-group ESPG mode 'tunnel'
set vpn ipsec esp-group ESPG pfs 'enable'
set vpn ipsec esp-group ESPG proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESPG proposal 1 hash 'sha256'
set vpn ipsec ike-group IKEG ikev2-reauth 'no'
set vpn ipsec ike-group IKEG key-exchange 'ikev1'
set vpn ipsec ike-group IKEG lifetime '28800'
set vpn ipsec ike-group IKEG proposal 1 dh-group '2'
set vpn ipsec ike-group IKEG proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKEG proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 100.1.1.48 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 100.1.1.48 authentication pre-shared-secret 'admin@123'
set vpn ipsec site-to-site peer 100.1.1.48 ike-group 'IKEG'
set vpn ipsec site-to-site peer 100.1.1.48 local-address '100.1.1.47'
set vpn ipsec site-to-site peer 100.1.1.48 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 100.1.1.48 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 100.1.1.48 tunnel 1 esp-group 'ESPG'
set vpn ipsec site-to-site peer 100.1.1.48 tunnel 1 local prefix '192.168.47.0/24'
set vpn ipsec site-to-site peer 100.1.1.48 tunnel 1 remote prefix '192.168.42.0/24'

set interfaces ethernet eth0 address '10.10.20.49/24'
set interfaces ethernet eth0 hw-id '00:0c:29:05:59:42'
set interfaces ethernet eth1 address '100.1.1.47/24'
set interfaces ethernet eth1 hw-id '00:0c:29:05:59:4c'
set interfaces loopback lo
set protocols static interface-route 192.168.42.0/24 next-hop-interface tun1
set protocols static route 192.168.47.0/24 next-hop 10.10.20.47

And my R8 config

set vpn ipsec esp-group ESPG compression 'disable'
set vpn ipsec esp-group ESPG lifetime '3600'
set vpn ipsec esp-group ESPG mode 'tunnel'
set vpn ipsec esp-group ESPG pfs 'enable'
set vpn ipsec esp-group ESPG proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESPG proposal 1 hash 'sha256'
set vpn ipsec ike-group IKEG ikev2-reauth 'no'
set vpn ipsec ike-group IKEG key-exchange 'ikev1'
set vpn ipsec ike-group IKEG lifetime '28800'
set vpn ipsec ike-group IKEG proposal 1 dh-group '2'
set vpn ipsec ike-group IKEG proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKEG proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 100.1.1.47 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 100.1.1.47 authentication pre-shared-secret 'admin@123'
set vpn ipsec site-to-site peer 100.1.1.47 ike-group 'IKEG'
set vpn ipsec site-to-site peer 100.1.1.47 local-address '100.1.1.48'
set vpn ipsec site-to-site peer 100.1.1.47 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 100.1.1.47 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 100.1.1.47 tunnel 1 esp-group 'ESPG'
set vpn ipsec site-to-site peer 100.1.1.47 tunnel 1 local prefix '192.168.42.0/24'
set vpn ipsec site-to-site peer 100.1.1.47 tunnel 1 remote prefix '192.168.47.0/24'

set interfaces ethernet eth0 address '100.1.1.48/24'
set interfaces ethernet eth0 hw-id '00:0c:29:b0:b6:27'
set interfaces ethernet eth1 address '10.10.11.48/24'
set interfaces ethernet eth1 hw-id '00:0c:29:b0:b6:31'
set interfaces loopback lo
set protocols static interface-route 192.168.47.0/24 next-hop-interface tun1
set protocols static route 192.168.42.0/24 next-hop 10.10.11.49

Do I need to add any routes on R7 and R8? however my tunnels are up

vyos@**R7**# run show vpn ipsec sa
Connection                State    Up          Bytes In/Out    Remote address    Remote ID    Proposal
------------------------  -------  ----------  --------------  ----------------  -----------  ---------------------------------------------------------
peer-100.1.1.48-tunnel-1  up       15 minutes  0B/0B           100.1.1.48        N/A          AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

on R8

vyos@**R8**# run show vpn ipsec sa
Connection                State    Up          Bytes In/Out    Remote address    Remote ID    Proposal
------------------------  -------  ----------  --------------  ----------------  -----------  ---------------------------------------------------------
peer-100.1.1.47-tunnel-1  up       15 minutes  0B/0B           100.1.1.47        N/A          AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
[edit]
2

This routes not correct.
tun1 is used for tunnels like GRE/IP-IP or any tunnel interface in “ set interfaces tunnel tun1 “

As you use a policy based vpn you don’t need to configure any routes.

If you want configure static routes you need to use vti interfaces.

3

That one is added just for testing purpose. Even after the route was not there I was not able to communicate between hosts.

Let me try removing the routes.

4

@Viacheslav As suspected - This is not working. My R7 does not know where to route those packets and policy vpn even though is up unable to communicate. Is there any debug commands? or let me try capturing the packets on other end.

image
image720×448 184 KB

5

Hello @blason

For correct routing between 192.168.47.48 and 192.168.42.48 you need to create interface tun1 on routers R7, R8.

R7:

set interfaces tunnel tun1 encapsulation 'gre'
set interfaces tunnel tun1 local-ip '100.1.1.47'
set interfaces tunnel tun1 remote-ip '100.1.1.48'
set vpn ipsec site-to-site peer 100.1.1.48 tunnel 1 protocol 'gre'

R8:

set interfaces tunnel tun1 encapsulation 'gre'
set interfaces tunnel tun1 local-ip '100.1.1.48'
set interfaces tunnel tun1 remote-ip '100.1.1.47'
set vpn ipsec site-to-site peer 100.1.1.47 tunnel 1 protocol 'gre'

Do not delete the route for the tunnel. It’s config works in the lab

6

@RyVolodya Agree but in this case it would not be a policy based VPN - It will be a route based VPN. The concern here is What if opposite device does not support route based VPN?

I guess Policy based VPN should work as suggested by @Viacheslav

7

Plus - if I follow this article then policy based vpn has to work. Definitely either I am missing something or I might have hit bug?
https://docs.vyos.io/en/latest/configuration/vpn/site2site_ipsec.html

8

Ok - Is it because I had no default route present on R7 and R8? What I did here is I only had reverse routes present for 192.168.47.0/24 and 192.168.42.x on R7 and R8 respectively.

I just added a route on R7 as

[edit]
vyos@R7# set protocols static route 0.0.0.0/0 next-hop 100.1.1.48

And same on R8 since I have no internet to simulate the scenario and communication started happening. Can someone please simulate in actual internet environment and confirm? Please!!

Every 2.0s: /opt/vyatta/bin/vyatta-op-cmd-wrapper show vpn ipsec sa                                                                             Sun Jun 20 12:32:13 2021

Connection                State    Up       Bytes In/Out    Remote address    Remote ID    Proposal
------------------------  -------  -------  --------------  ----------------  -----------  ---------------------------------------------------------
peer-100.1.1.48-tunnel-1  up       2 hours  1K/1K           100.1.1.48        N/A          AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

image
image702×358 106 KB

9

It’s works! I tested on network lab. R7 and R8 connected to Internet without nat, only default routes.

Config R7:

set interfaces ethernet eth0 address ‘46.229.1.234/24’
set interfaces ethernet eth1 address ‘10.10.20.49/24’
set protocols static route 0.0.0.0/0 next-hop 46.229.1.1
set protocols static route 192.168.47.0/24 next-hop 10.10.20.47
set vpn ipsec esp-group ESPG compression ‘disable’
set vpn ipsec esp-group ESPG lifetime ‘3600’
set vpn ipsec esp-group ESPG mode ‘tunnel’
set vpn ipsec esp-group ESPG pfs ‘enable’
set vpn ipsec esp-group ESPG proposal 1 encryption ‘aes256’
set vpn ipsec esp-group ESPG proposal 1 hash ‘sha256’
set vpn ipsec ike-group IKEG ikev2-reauth ‘no’
set vpn ipsec ike-group IKEG key-exchange ‘ikev1’
set vpn ipsec ike-group IKEG lifetime ‘28800’
set vpn ipsec ike-group IKEG proposal 1 dh-group ‘2’
set vpn ipsec ike-group IKEG proposal 1 encryption ‘aes256’
set vpn ipsec ike-group IKEG proposal 1 hash ‘sha256’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec site-to-site peer 46.229.2.200 authentication mode ‘pre-shared-seret’
set vpn ipsec site-to-site peer 46.229.2.200 authentication pre-shared-secret ‘dmin@123’
set vpn ipsec site-to-site peer 46.229.2.200 ike-group ‘IKEG’
set vpn ipsec site-to-site peer 46.229.2.200 local-address ‘46.229.1.234’
set vpn ipsec site-to-site peer 46.229.2.200 tunnel 1 allow-nat-networks ‘disabe’
set vpn ipsec site-to-site peer 46.229.2.200 tunnel 1 allow-public-networks ‘diable’
set vpn ipsec site-to-site peer 46.229.2.200 tunnel 1 esp-group ‘ESPG’
set vpn ipsec site-to-site peer 46.229.2.200 tunnel 1 local prefix ‘192.168.47./24’
set vpn ipsec site-to-site peer 46.229.2.200 tunnel 1 remote prefix ‘192.168.42.0/24’

Config R8:

set interfaces ethernet eth0 address ‘46.229.2.200/24’
set interfaces ethernet eth1 address ‘10.10.11.48/24’
set protocols static route 0.0.0.0/0 next-hop 46.229.2.1
set protocols static route 192.168.42.0/24 next-hop 10.10.11.49
set vpn ipsec esp-group ESPG compression ‘disable’
set vpn ipsec esp-group ESPG lifetime ‘3600’
set vpn ipsec esp-group ESPG mode ‘tunnel’
set vpn ipsec esp-group ESPG pfs ‘enable’
set vpn ipsec esp-group ESPG proposal 1 encryption ‘aes256’
set vpn ipsec esp-group ESPG proposal 1 hash ‘sha256’
set vpn ipsec ike-group IKEG ikev2-reauth ‘no’
set vpn ipsec ike-group IKEG key-exchange ‘ikev1’
set vpn ipsec ike-group IKEG lifetime ‘28800’
set vpn ipsec ike-group IKEG proposal 1 dh-group ‘2’
set vpn ipsec ike-group IKEG proposal 1 encryption ‘aes256’
set vpn ipsec ike-group IKEG proposal 1 hash ‘sha256’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec site-to-site peer 46.229.1.234 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 46.229.1.234 authentication pre-shared-secret ‘admin@123’
set vpn ipsec site-to-site peer 46.229.1.234 ike-group ‘IKEG’
set vpn ipsec site-to-site peer 46.229.1.234 local-address ‘46.229.2.200’
set vpn ipsec site-to-site peer 46.229.1.234 tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer 46.229.1.234 tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer 46.229.1.234 tunnel 1 esp-group ‘ESPG’
set vpn ipsec site-to-site peer 46.229.1.234 tunnel 1 local prefix ‘192.168.42.0/24’
set vpn ipsec site-to-site peer 46.229.1.234 tunnel 1 remote prefix ‘192.168.47.0/24’

10

@RyVolodya Thanks a lot man for simulating this environment and really appreciate this.

11

Beware on a setup like this: If ipsec tunnel is down, packets might flow unencrypted, which you won’t notice, as you can still ping amongst each other.
To simulate internet, add a router in the middle , having only connected routes

12

That was a just a test scenario.

13

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.