Facing Tunnel issue with PAN

General questions
,
1

Hi Team,

I am using vyos 1.3.x and opposite end we have PAN. I am facing an issue with S2S tunnel. Has anyone configured a tunnel with PAN? On Vyos end I configured Policy based tunnel while at PAN end by default tunnel is configured as a Route based? Can this caused an issue?

I even tried configuring tunnel at vyos to route based however IPsec was up but traffic was not passing. Here is the Topology

On Vyos End
encryption domain : 10.10.10.0/24
Vyos Public IP: 1.2.3.4
Vyos LAN IP: 10.10.10.1/24
Vyos vti0 : 169.254.254.1/30

PAN end
Encryption Domain : 192.168.10.0/24
PAN Public IP: 4.5.6.7
PAN LAN IP : 192.168.10.1/24
PAN Tunnel.127: 169.254.254.2

So on PAN administrator added three routes
10.10.10.0/24 NH 169.254.254.1
169.254.254.1 NH Tun.127

On Vyos end
192.168.10.0/24 NH 169.254.254.2
169.254.254.2 Interface-route vti0

However as I said IPsec is up but unable to reach to 192.168.10.x and when I tried ping 169.254.254.2 from vyos I see destination host unreachable from 169.254.254.1

Can someone pls help?

2

If you use Route based vpn, use vti interface on VyOS.
If you use Policy based vpn, use proxy id on PAN.
You can see the result of IPSEC phases by show vpn commands.

3

Now what I noticed is - only phase 2 tunnel is going down once in a day.

4

What information do you see in the logs when this happens?
sudo journalctl -b | grep charon
Try to use Tunnel monitoring on PAN.

5

I guess we added Proxy IDs and seems tunnel is stable. Let me observe for a day or two.

Thanks a lot for your help

6

Hi Team,

For few days it was up without any issues. However for again last 2 days tunnel started dropping again randomly. And here is the message when it went down

xx.xx.5.250 is a PAN IP

Jul 28 03:06:33 vyos-1.3.2 charon[4991]: 05[ENC] <peer-xx.xx.5.250-tunnel-5|25> generating INFORMATIONAL response 401 [ ]
Jul 28 03:06:33 vyos-1.3.2 charon[4991]: 05[NET] <peer-xx.xx.5.250-tunnel-5|25> sending packet: from xx.xx.6.226[500] to xx.xx.5.250[500] (80 bytes)
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 08[KNL] creating rekey job for CHILD_SA ESP/0xce01e286/xx.xx.6.226
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 08[IKE] <peer-xx.xx.5.250-tunnel-5|25> establishing CHILD_SA peer-xx.xx.5.250-tunnel-5{101} reqid 1
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 08[ENC] <peer-xx.xx.5.250-tunnel-5|25> generating CREATE_CHILD_SA request 0 [ N(REKEY_SA) SA No KE TSi TSr ]
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 08[NET] <peer-xx.xx.5.250-tunnel-5|25> sending packet: from xx.xx.6.226[500] to xx.xx.5.250[500] (416 bytes)
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 10[NET] <peer-xx.xx.5.250-tunnel-5|25> received packet: from xx.xx.5.250[500] to xx.xx.6.226[500] (80 bytes)
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 10[ENC] <peer-xx.xx.5.250-tunnel-5|25> parsed INFORMATIONAL request 402 [ D ]
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 10[IKE] <peer-xx.xx.5.250-tunnel-5|25> received DELETE for ESP CHILD_SA with SPI d0317465
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 10[IKE] <peer-xx.xx.5.250-tunnel-5|25> closing CHILD_SA peer-xx.xx.5.250-tunnel-5{100} with SPIs ce01e286_i (477
7754 bytes) d0317465_o (660832 bytes) and TS 10.122.0.0/20 === 172.16.2.61/32
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 10[IKE] <peer-xx.xx.5.250-tunnel-5|25> sending DELETE for ESP CHILD_SA with SPI ce01e286
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 10[IKE] <peer-xx.xx.5.250-tunnel-5|25> CHILD_SA closed
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 10[IKE] <peer-xx.xx.5.250-tunnel-5|25> detected CHILD_REKEY collision with CHILD_DELETE
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 10[ENC] <peer-xx.xx.5.250-tunnel-5|25> generating INFORMATIONAL response 402 [ D ]
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 10[NET] <peer-xx.xx.5.250-tunnel-5|25> sending packet: from xx.xx.6.226[500] to xx.xx.5.250[500] (80 bytes)
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 10[NET] <peer-xx.xx.5.250-tunnel-5|25> received packet: from xx.xx.5.250[500] to xx.xx.6.226[500] (416 bytes)
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 10[ENC] <peer-xx.xx.5.250-tunnel-5|25> parsed CREATE_CHILD_SA response 0 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 10[IKE] <peer-xx.xx.5.250-tunnel-5|25> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 10[CFG] <peer-xx.xx.5.250-tunnel-5|25> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 10[IKE] <peer-xx.xx.5.250-tunnel-5|25> inbound CHILD_SA peer-xx.xx.5.250-tunnel-5{101} established with SPIs cdd
5c13a_i 8f8b3dda_o and TS 10.122.0.0/20 === 172.16.2.61/32
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 10[IKE] <peer-xx.xx.5.250-tunnel-5|25> CHILD_SA rekey/delete collision, deleting redundant child peer-124.124.5.25
0-tunnel-5{101}
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 10[IKE] <peer-xx.xx.5.250-tunnel-5|25> closing CHILD_SA peer-xx.xx.5.250-tunnel-5{101} with SPIs cdd5c13a_i (0 b
ytes) 8f8b3dda_o (0 bytes) and TS 10.122.0.0/20 === 172.16.2.61/32
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 10[IKE] <peer-xx.xx.5.250-tunnel-5|25> sending DELETE for ESP CHILD_SA with SPI cdd5c13a
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 10[ENC] <peer-xx.xx.5.250-tunnel-5|25> generating INFORMATIONAL request 1 [ D ]
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 10[NET] <peer-xx.xx.5.250-tunnel-5|25> sending packet: from xx.xx.6.226[500] to xx.xx.5.250[500] (80 bytes)
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 09[NET] <peer-xx.xx.5.250-tunnel-5|25> received packet: from xx.xx.5.250[500] to xx.xx.6.226[500] (80 bytes)
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 09[ENC] <peer-xx.xx.5.250-tunnel-5|25> parsed INFORMATIONAL response 1 [ D ]
Jul 28 03:06:35 vyos-1.3.2 charon[4991]: 09[IKE] <peer-xx.xx.5.250-tunnel-5|25> received DELETE for ESP CHILD_SA with SPI 8f8b3dda
7

Can you show your vpn configuration on both side? Maybe it is a collision with a connection-type.

8

What is exactly collision with a connection-type??

9

Here is mine

set vpn ipsec auto-update '60'
set vpn ipsec esp-group uxxx-ixx-esp compression 'disable'
set vpn ipsec esp-group uxxx-ixx-esp lifetime '3600'
set vpn ipsec esp-group uxxx-ixx-esp mode 'tunnel'
set vpn ipsec esp-group uxxx-ixx-esp pfs 'dh-group5'
set vpn ipsec esp-group uxxx-ixx-esp proposal 11 encryption 'aes256'
set vpn ipsec esp-group uxxx-ixx-esp proposal 11 hash 'sha256'
set vpn ipsec ike-group uxxx-ixxx-ike close-action 'none'
set vpn ipsec ike-group uxxx-ixxx-ike ikev2-reauth 'no'
set vpn ipsec ike-group uxxx-ixxx-ike key-exchange 'ikev2'
set vpn ipsec ike-group uxxx-ixxx-ike lifetime '28800'
set vpn ipsec ike-group uxxx-ixxx-ike proposal 11 dh-group '5'
set vpn ipsec ike-group uxxx-ixxx-ike proposal 11 encryption 'aes256'
set vpn ipsec ike-group uxxx-ixxx-ike proposal 11 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer xxxxx.tld authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer xxxxx.tld authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer xxxxx.tld authentication remote-id 'xxx.xxx.5.250'
set vpn ipsec site-to-site peer xxxxx.tld connection-type 'initiate'
set vpn ipsec site-to-site peer xxxxx.tld ike-group 'uxxx-ixxx-ike'
set vpn ipsec site-to-site peer xxxxx.tld ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer xxxxx.tld local-address 'xxx.xxx.6.226'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 5 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 5 allow-public-networks 'disable'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 5 esp-group 'uxxx-ixx-esp'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 5 local prefix 'xxx.xxx.0.0/20'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 5 remote prefix 'xxx.xxx.2.61/32'
10

It looks like everything is ok. If you haven’t had any network issues between these routers, check pfs and lifetime on both side.

11

Try to use DPD on VyOS side. Try to use Liveness Check and Tunnel monitoring on PA side