GRE IPSEC help between 2 vyos

General questions
1

I am trying to the gre/ipsec with the following configuration but it fails to some point

show vpn remote-access
No active remote access VPN sessions

Configurations

configure
set system hostname LEFT
set interfaces dummy dum0
set interfaces dummy dum0 address 192.168.255.1/24
set interfaces ethernet eth0 address 10.255.255.1/30
set interfaces ethernet eth0 description 'Outside'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 speed ‘auto'
set interfaces ethernet eth1 address 192.168.0.1/24
set interfaces ethernet eth1 description 'Inside'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 speed 'auto
commit
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 dns-server '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name 'internal-network'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range rang01 start '192.168.0.100'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range rang01 stop '192.168.0.254'

#=========================================================================rrun generate vpn rsa-key bits 2048

#=========================================================================
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 10.255.255.1
set interfaces tunnel tun0 remote-ip 10.255.255.2
set interfaces tunnel tun0 address 10.10.10.1/30

## IPsec
set vpn ipsec ipsec-interfaces interface eth0

# IKE group
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'

# ESP group
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes128'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'

# IPsec tunnel
set vpn ipsec site-to-site peer 10.255.255.2 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 10.255.255.2 authentication pre-shared-secret MYSECRETKEY

set vpn ipsec site-to-site peer 10.255.255.2 ike-group MyIKEGroup
set vpn ipsec site-to-site peer 10.255.255.2 default-esp-group MyESPGroup

set vpn ipsec site-to-site peer 10.255.255.2 local-address 10.255.255.1

# This will match all GRE traffic to the peer
set vpn ipsec site-to-site peer 10.255.255.2 tunnel 1 protocol gre

#=========================================================================
set vpn rsa-keys rsa-key-name RIGHT rsa-key <PUBLIC KEY FROM THE RIGHT>

set vpn ipsec ipsec-interfaces interface eth0

set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1

set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1

set vpn ipsec site-to-site peer @RIGHT authentication mode rsa
set vpn ipsec site-to-site peer @RIGHT authentication rsa-key-name RIGHT
set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup
set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup
set vpn ipsec site-to-site peer @RIGHT local-address 10.255.255.1
set vpn ipsec site-to-site peer @RIGHT connection-type respond
set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.0.0/24
set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 172.16.1.0/24

########################################################################

configure
set system hostname RIGHT
set interfaces dummy dum0
set interfaces dummy dum0 address 192.168.100.1/24


set interfaces ethernet eth0 address 10.255.255.2/30
set interfaces ethernet eth0 description 'Outside'
#set interfaces ethernet eth0 duplex 'auto'
#set interfaces ethernet eth0 speed ‘auto'

set interfaces ethernet eth1 address 172.16.1.1/24
set interfaces ethernet eth1 description 'Inside'
#set interfaces ethernet eth1 duplex 'auto'
#set interfaces ethernet eth1 speed 'auto

commit



set service dhcp-server shared-network-name LAN subnet 172.16.1.0/24 default-router '172.16.1.1'
set service dhcp-server shared-network-name LAN subnet 172.16.1.0/24 dns-server '172.16.1.1'
set service dhcp-server shared-network-name LAN subnet 172.16.1.0/24 domain-name 'internal-network'
set service dhcp-server shared-network-name LAN subnet 172.16.1.0/24 lease '86400'
set service dhcp-server shared-network-name LAN subnet 172.16.1.0/24 range rang01 start '172.16.1.100'
set service dhcp-server shared-network-name LAN subnet 172.16.1.0/24 range rang01 stop '172.16.1.254'

======================================================================================================================================================================================================================
run generate vpn rsa-key bits 2048
rsa-key to /config/ipsec.d/rsa-keys/localhost.key

Your new local RSA key has been generated
The public portion of the key is:

0sAQO2335[long string here]

===========================================================================================================

set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 10.255.255.2
set interfaces tunnel tun0 remote-ip 10.255.255.1
set interfaces tunnel tun0 address 10.10.10.2/30

## IPsec
set vpn ipsec ipsec-interfaces interface eth0

# IKE group
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'

# ESP group
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes128'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'

# IPsec tunnel
set vpn ipsec site-to-site peer 10.255.255.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 10.255.255.1 authentication pre-shared-secret MYSECRETKEY

set vpn ipsec site-to-site peer 10.255.255.1 ike-group MyIKEGroup
set vpn ipsec site-to-site peer 10.255.255.1 default-esp-group MyESPGroup

set vpn ipsec site-to-site peer 10.255.255.1 local-address 10.255.255.2

# This will match all GRE traffic to the peer
set vpn ipsec site-to-site peer 10.255.255.1 tunnel 1 protocol gre

===========================================================================================================

set vpn rsa-keys rsa-key-name LEFT rsa-key <PUBLIC KEY FROM THE RIGHT>

set vpn ipsec ipsec-interfaces interface eth0

set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1

set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1

set vpn ipsec site-to-site peer 10.255.255.1 authentication id @RIGHT
set vpn ipsec site-to-site peer 10.255.255.1 authentication mode rsa
set vpn ipsec site-to-site peer 10.255.255.1 authentication rsa-key-name LEFT
set vpn ipsec site-to-site peer 10.255.255.1 remote-id @LEFT
set vpn ipsec site-to-site peer 10.255.255.1 connection-type initiate
set vpn ipsec site-to-site peer 10.255.255.1 default-esp-group MyESPGroup
set vpn ipsec site-to-site peer 10.255.255.1 ike-group MyIKEGroup
set vpn ipsec site-to-site peer 10.255.255.1 local-address any
set vpn ipsec site-to-site peer 10.255.255.1 tunnel 1 local prefix 172.16.1.0/24
set vpn ipsec site-to-site peer 10.255.255.1 tunnel 1 remote prefix 192.168.0.0/24

Kindly help :slight_smile:

2

snap

3

After trying for the last 2 days it seem i have got the tunnel up but the 2 networks not ping

show vpn ipsec state
src 10.255.255.1 dst 10.255.255.2
        proto esp spi 0xce62643e reqid 1 mode tunnel
        replay-window 0 flag af-unspec
        auth-trunc hmac(sha1) 0x4afa9a95c78f0a6f49b57d35a2ac0aa75c9b877d 96
        enc cbc(aes) 0xffc9bddc5f632cb21c95ed5b0f91b5d8
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 10.255.255.2 dst 10.255.255.1
        proto esp spi 0xcfc2350b reqid 1 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha1) 0x775f96d948ff9f66422be64f46e81384b16c3a5d 96
        enc cbc(aes) 0x9b1cbc007ee0535f4efda8a9c8837a59
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 10.255.255.1 dst 10.255.255.2
        proto esp spi 0xcd8c9f9c reqid 1 mode tunnel
        replay-window 0 flag af-unspec
        auth-trunc hmac(sha1) 0x4e74c46309860c14ee1445f1f82559fc8873000d 96
        enc cbc(aes) 0x74b999d442bea1b75bc38b7e8e1e9819
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 10.255.255.2 dst 10.255.255.1
        proto esp spi 0xc0a0da6b reqid 1 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha1) 0xfc6e37716b11df0a519af5e25bcc6a758ccfe7a8 96
        enc cbc(aes) 0x96059cba886f553f72e5186e688fd6aa
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
vyos@Left:~$
vyos@Left:~$
vyos@Left:~$
vyos@Left:~$
vyos@Left:~$ show vpn ipsec status
IPSec Process Running PID: 1669

1 Active IPsec Tunnels

IPsec Interfaces :
        eth0    (10.255.255.1)
vyos@Left:~$
vyos@Left:~$
vyos@Left:~$ show vpn ipsec sa
Connection           State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
-------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
peer-RIGHT-tunnel-1  up       8m40s     0B/0B           0/0               10.255.255.2      RIGHT        AES_CBC_128/HMAC_SHA1_96/MODP_1024
vyos@Left:~$
vyos@Left:~$
vyos@Left:~$
vyos@Left:~$

in out bytes show 0B/0B :confused:
Both right and left routers ping each other directly.

Should gre-ipsec automatically route both local networks or should routing be configured ? My question seems really stupid :grimacing: But just wanted to know.

Thanks and regards,
sd0

4

If you can ping 10.10.10.x addresses, tunnel is up. You need to add routes on gre interface (or use dynamic routing protocol like ospf)

5

Thank u for your reply

Before ospf configuration I could only ping 10.10.10.x router to router

After ospf I can ping both PC’s from each other but wireshark capture between eth0 of both routers show clear text ICMP echo and reply.

I have not set protocols ospf area 0.0.0.0 network 10.255.255.255.0/30

6

Capture
Capture1066×382 29.4 KB

7

Hi guys,

After pulling my hair out of my head i have reached to a point where…

  • I have both PC1 and PC2 can ping each other as i have configured ospf.
  • The tunnel traffic is unencrypted as wireshark captures show clear pings and ospf hello packets :face_with_hand_over_mouth: :grimacing: :confused: same as the above screenshot

I am sharing the show conf commands outputs of both my Left and Right Routers

LEFT
Left# run sh configuration commands
set interfaces dummy dum0 address ‘192.168.255.1/24’
set interfaces ethernet eth0 address ‘10.255.255.1/30’
set interfaces ethernet eth0 description ‘Outside’
set interfaces ethernet eth0 hw-id ‘0c:0d:e2:57:0c:00’
set interfaces ethernet eth1 address ‘192.168.0.1/24’
set interfaces ethernet eth1 description ‘Inside’
set interfaces ethernet eth1 hw-id ‘0c:0d:e2:57:0c:01’
set interfaces ethernet eth2 hw-id ‘0c:0d:e2:57:0c:02’
set interfaces loopback lo
set interfaces tunnel tun0 address ‘10.10.10.1/30’
set interfaces tunnel tun0 encapsulation ‘gre’
set interfaces tunnel tun0 local-ip ‘10.255.255.1’
set interfaces tunnel tun0 multicast ‘disable’
set interfaces tunnel tun0 remote-ip ‘10.255.255.2’
set protocols ospf area 0.0.0.0 network ‘10.10.10.0/30’
set protocols ospf area 0.0.0.0 network ‘192.168.0.0/24’
set protocols ospf area 0.0.0.0 network ‘192.168.255.0/24’
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router ‘192.168.0.1’
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 dns-server ‘192.168.0.1’
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name ‘internal-network’
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease ‘86400’
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range rang01 start ‘192.168.0.100’
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range rang01 stop ‘192.168.0.254’
set system config-management commit-revisions ‘100’
set system console device ttyS0 speed ‘115200’
set system host-name ‘Left’
set system login user vyos authentication encrypted-password ‘$0000’
set system login user vyos authentication plaintext-password ‘’
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level ‘info’
set system syslog global facility protocols level ‘debug’
set vpn ipsec esp-group MyESPGroup compression ‘disable’
set vpn ipsec esp-group MyESPGroup lifetime ‘3600’
set vpn ipsec esp-group MyESPGroup mode ‘tunnel’
set vpn ipsec esp-group MyESPGroup pfs ‘enable’
set vpn ipsec esp-group MyESPGroup proposal 1 encryption ‘aes128’
set vpn ipsec esp-group MyESPGroup proposal 1 hash ‘sha1’
set vpn ipsec ike-group MyIKEGroup close-action ‘none’
set vpn ipsec ike-group MyIKEGroup ikev2-reauth ‘no’
set vpn ipsec ike-group MyIKEGroup key-exchange ‘ikev1’
set vpn ipsec ike-group MyIKEGroup lifetime ‘28800’
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group ‘2’
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption ‘aes128’
set vpn ipsec ike-group MyIKEGroup proposal 1 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec site-to-site peer 10.255.255.2 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 10.255.255.2 authentication pre-shared-secret ‘MYSECRETKEY’
set vpn ipsec site-to-site peer 10.255.255.2 connection-type ‘initiate’
set vpn ipsec site-to-site peer 10.255.255.2 default-esp-group ‘MyESPGroup’
set vpn ipsec site-to-site peer 10.255.255.2 ike-group ‘MyIKEGroup’
set vpn ipsec site-to-site peer 10.255.255.2 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 10.255.255.2 local-address ‘10.255.255.1’
set vpn ipsec site-to-site peer 10.255.255.2 tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer 10.255.255.2 tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer 10.255.255.2 tunnel 1 protocol ‘gre’
set vpn ipsec site-to-site peer @RIGHT authentication mode ‘rsa’
set vpn ipsec site-to-site peer @RIGHT authentication rsa-key-name ‘RIGHT’
set vpn ipsec site-to-site peer @RIGHT connection-type ‘respond’
set vpn ipsec site-to-site peer @RIGHT default-esp-group ‘MyESPGroup’
set vpn ipsec site-to-site peer @RIGHT ike-group ‘MyIKEGroup’
set vpn ipsec site-to-site peer @RIGHT ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer @RIGHT local-address ‘10.255.255.1’
set vpn ipsec site-to-site peer @RIGHT tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer @RIGHT tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix ‘192.168.0.0/24’
set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix ‘172.16.1.0/24’
set vpn rsa-keys rsa-key-name RIGHT rsa-key '0sA==================================

Right
Right:~$ show configuration commands
set interfaces dummy dum0 address ‘192.168.100.1/24’
set interfaces ethernet eth0 address ‘10.255.255.2/30’
set interfaces ethernet eth0 description ‘Outside’
set interfaces ethernet eth0 hw-id ‘0c:0d:e2:40:ba:00’
set interfaces ethernet eth1 address ‘172.16.1.1/24’
set interfaces ethernet eth1 description ‘Inside’
set interfaces ethernet eth1 hw-id ‘0c:0d:e2:40:ba:01’
set interfaces ethernet eth2 hw-id ‘0c:0d:e2:40:ba:02’
set interfaces loopback lo
set interfaces tunnel tun0 address ‘10.10.10.2/30’
set interfaces tunnel tun0 encapsulation ‘gre’
set interfaces tunnel tun0 local-ip ‘10.255.255.2’
set interfaces tunnel tun0 multicast ‘disable’
set interfaces tunnel tun0 remote-ip ‘10.255.255.1’
set protocols ospf area 0.0.0.0 network ‘10.10.10.0/30’
set protocols ospf area 0.0.0.0 network ‘172.16.1.0/24’
set protocols ospf area 0.0.0.0 network ‘192.168.100.0/24’
set service dhcp-server shared-network-name LAN subnet 172.16.1.0/24 default-router ‘172.16.1.1’
set service dhcp-server shared-network-name LAN subnet 172.16.1.0/24 dns-server ‘172.16.1.1’
set service dhcp-server shared-network-name LAN subnet 172.16.1.0/24 domain-name ‘internal-network’
set service dhcp-server shared-network-name LAN subnet 172.16.1.0/24 lease ‘86400’
set service dhcp-server shared-network-name LAN subnet 172.16.1.0/24 range rang01 start ‘172.16.1.100’
set service dhcp-server shared-network-name LAN subnet 172.16.1.0/24 range rang01 stop ‘172.16.1.254’
set system config-management commit-revisions ‘100’
set system console device ttyS0 speed ‘115200’
set system host-name ‘Right’
set system login user vyos authentication encrypted-password ‘$0000’
set system login user vyos authentication plaintext-password ‘’
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level ‘info’
set system syslog global facility protocols level ‘debug’
set vpn ipsec esp-group MyESPGroup compression ‘disable’
set vpn ipsec esp-group MyESPGroup lifetime ‘3600’
set vpn ipsec esp-group MyESPGroup mode ‘tunnel’
set vpn ipsec esp-group MyESPGroup pfs ‘enable’
set vpn ipsec esp-group MyESPGroup proposal 1 encryption ‘aes128’
set vpn ipsec esp-group MyESPGroup proposal 1 hash ‘sha1’
set vpn ipsec ike-group MyIKEGroup close-action ‘none’
set vpn ipsec ike-group MyIKEGroup ikev2-reauth ‘no’
set vpn ipsec ike-group MyIKEGroup key-exchange ‘ikev1’
set vpn ipsec ike-group MyIKEGroup lifetime ‘28800’
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group ‘2’
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption ‘aes128’
set vpn ipsec ike-group MyIKEGroup proposal 1 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec site-to-site peer 10.255.255.1 authentication id ‘@RIGHT
set vpn ipsec site-to-site peer 10.255.255.1 authentication mode ‘rsa’
set vpn ipsec site-to-site peer 10.255.255.1 authentication pre-shared-secret ‘MYSECRETKEY’
set vpn ipsec site-to-site peer 10.255.255.1 authentication rsa-key-name ‘LEFT’
set vpn ipsec site-to-site peer 10.255.255.1 connection-type ‘initiate’
set vpn ipsec site-to-site peer 10.255.255.1 default-esp-group ‘MyESPGroup’
set vpn ipsec site-to-site peer 10.255.255.1 ike-group ‘MyIKEGroup’
set vpn ipsec site-to-site peer 10.255.255.1 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 10.255.255.1 local-address ‘any’
set vpn ipsec site-to-site peer 10.255.255.1 tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer 10.255.255.1 tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer 10.255.255.1 tunnel 1 local prefix ‘172.16.1.0/24’
set vpn ipsec site-to-site peer 10.255.255.1 tunnel 1 protocol ‘gre’
set vpn ipsec site-to-site peer 10.255.255.1 tunnel 1 remote prefix ‘192.168.0.0/24’
set vpn rsa-keys rsa-key-name LEFT rsa-key '0=================

Appreciate your inputs

Thanks and Regards,
Sd0

8

After a reconfiguration from scratch it worked …

1 Like
9

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.