Hello,
I’m doing many weird setups especially behind dynamic ip’s finding ways of tunneling across (excluding DMVPN as opennhrp doesn’t support ipv6 mapping). However i pulled up a KB for gre over ipsec using loopback and RSA keys but i removed the RSA keys changed it to psk then the peer from ID to 0.0.0.0 rest is same now the the IPSEC sa’s negotiate perfectly fine when doing ‘show vpn ipsec sa’ shows the CPE looks all culture, This is where my brain is being toasted i can ping the loopbacks CPE to headend vice versa but when pinging the tunnel interface the network is unreachable. Environment is labbed using 1.3 VyOS and EVE-NG both routers are VyOS trying to get that to work then i can move on making a cisco config.
P.S been at this since 1pm now it is 6:03am UK lol
Thanks
Update
Between Vyos and Cisco router IPSEC SA is established fine without remote and local prefixes. However specifying set vpn ipsec site-to-site 0.0.0.0 tunnel <id> protocol gre doesn’t allow any tunnel traffic but keep the IPSEC tunnel. If i were to specify local and remote subnets Phase 1 just fails entirely.
To make something of this thread, you got to post some actual configs and logs.
I always liked cisco ipsec debug logging
i can post both xe and vyos config logs state IPSEC SA is established can see it.
Cisco
crypto ikev2 proposal VPN-IKEv2-Proposal
encryption aes-cbc-256
integrity sha256
group 21
!
crypto ikev2 policy VPN-IKEv2-Policy
proposal VPN-IKEv2-Proposal
!
crypto ikev2 keyring VPN-IKEv2-Keyring
peer germanyheadend
address 172.16.16.1
pre-shared-key local changepassword
pre-shared-key remote changepassword
!
!
!
crypto ikev2 profile VPN-IKEv2-Profile
match identity remote address 172.16.16.1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local VPN-IKEv2-Keyring
!
!
!
lldp run
!
!
!
!
!
!
!
!
!
!
crypto ipsec transform-set AES-CBC-256 esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec fragmentation after-encryption
!
crypto ipsec profile VPN-IKEv2-IPsec-Profile
set transform-set AES-CBC-256
set pfs group21
set ikev2-profile VPN-IKEv2-Profile
!
!
!
crypto map vpn 10 ipsec-isakmp
set peer 172.16.16.1
set transform-set AES-CBC-256
match address gre
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.99.2 255.255.255.255
!
interface Tunnel1
ip address 10.0.0.2 255.255.255.254
ip mtu 1410
tunnel source GigabitEthernet1
tunnel destination 172.16.16.1
tunnel protection ipsec profile VPN-IKEv2-IPsec-Profile
!
interface GigabitEthernet1
ip address 172.16.16.2 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
VyOS
interfaces {
ethernet eth0 {
address 172.16.16.1/24
hw-id 50:00:00:05:00:00
}
ethernet eth1 {
hw-id 50:00:00:05:00:01
}
loopback lo {
address 192.168.99.1/32
}
tunnel tun1 {
address 10.0.0.1/31
encapsulation gre
mtu 1410
multicast enable
parameters {
ip {
key ****************
}
}
remote 10.0.0.2
source-address 10.0.0.1
}
}
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 115200
}
}
host-name vyos
login {
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
}
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
static-host-mapping {
host-name test.r1.local {
inet 172.16.16.2
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}
vpn {
ipsec {
esp-group ESP-1W {
compression disable
lifetime 3600
mode tunnel
pfs dh-group21
proposal 1 {
encryption aes256
hash sha256
}
}
ike-group IKE-1W {
close-action none
ikev2-reauth yes
key-exchange ikev2
lifetime 28800
proposal 1 {
dh-group 21
encryption aes256
hash sha256
}
}
ipsec-interfaces {
interface eth0
}
site-to-site {
peer 0.0.0.0 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type respond
default-esp-group ESP-1W
ike-group IKE-1W
local-address 172.16.16.1
tunnel 1 {
protocol gre
}
}
}
}
}
VyOS IPSEC log
VPN-IPSEC: 07[NET] <3> received packet: from 172.16.16.2[500] to 172.16.16.1[500] (394 bytes)
VPN-IPSEC: 07[ENC] <3> parsed IKE_SA_INIT request 0 [ SA KE No V V V V N(NATD_S_IP) N(NATD_D_IP) ]
VPN-IPSEC: 07[IKE] <3> received Cisco Delete Reason vendor ID
VPN-IPSEC: 07[ENC] <3> received unknown vendor ID: 43:49:53:43:4f:56:50:4e:2d:52:45:56:2d:30:32
VPN-IPSEC: 07[ENC] <3> received unknown vendor ID: 43:49:53:43:4f:2d:44:59:4e:41:4d:49:43:2d:52:4f:55:54:45
VPN-IPSEC: 07[IKE] <3> received Cisco FlexVPN Supported vendor ID
VPN-IPSEC: 07[IKE] <3> 172.16.16.2 is initiating an IKE_SA
VPN-IPSEC: 07[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
VPN-IPSEC: 07[ENC] <3> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
VPN-IPSEC: 07[NET] <3> sending packet: from 172.16.16.1[500] to 172.16.16.2[500] (316 bytes)
VPN-IPSEC: 08[NET] <3> received packet: from 172.16.16.2[500] to 172.16.16.1[500] (592 bytes)
VPN-IPSEC: 08[ENC] <3> unknown attribute type (28692)
VPN-IPSEC: 08[ENC] <3> parsed IKE_AUTH request 1 [ V IDi AUTH CPRQ(DNS DNS NBNS NBNS SUBNET DNS6 SUBNET6 VER U_SPLITDNS U_BANNER (28692) U_BKPSRV U_DEFDOM) SA TSi TSr N(INIT_CONTACT) N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
VPN-IPSEC: 08[CFG] <3> looking for peer configs matching 172.16.16.1[%any]...172.16.16.2[172.16.16.2]
VPN-IPSEC: 08[CFG] <peer-0.0.0.0-tunnel-1|3> selected peer config 'peer-0.0.0.0-tunnel-1'
VPN-IPSEC: 08[IKE] <peer-0.0.0.0-tunnel-1|3> authentication of '172.16.16.2' with pre-shared key successful
VPN-IPSEC: 08[IKE] <peer-0.0.0.0-tunnel-1|3> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
VPN-IPSEC: 08[IKE] <peer-0.0.0.0-tunnel-1|3> authentication of '172.16.16.1' (myself) with pre-shared key
VPN-IPSEC: 08[IKE] <peer-0.0.0.0-tunnel-1|2> destroying duplicate IKE_SA for peer '172.16.16.2', received INITIAL_CONTACT
VPN-IPSEC: 08[IKE] <peer-0.0.0.0-tunnel-1|3> IKE_SA peer-0.0.0.0-tunnel-1[3] established between 172.16.16.1[172.16.16.1]...172.16.16.2[172.16.16.2]
VPN-IPSEC: 08[CFG] <peer-0.0.0.0-tunnel-1|3> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
VPN-IPSEC: 08[IKE] <peer-0.0.0.0-tunnel-1|3> CHILD_SA peer-0.0.0.0-tunnel-1{4} established with SPIs c49cb195_i 8cf80475_o and TS 172.16.16.1/32[gre] === 172.16.16.2/32[gre]
VPN-IPSEC: 08[ENC] <peer-0.0.0.0-tunnel-1|3> generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
VPN-IPSEC: 08[NET] <peer-0.0.0.0-tunnel-1|3> sending packet: from 172.16.16.1[500] to 172.16.16.2[500] (224 bytes)
note, 10.0.0.1 and 10.0.0.2 aren’t in same /31 subnet
Cisco uses 172.16.16.2 as tunnel source, where Vyos thinks 10.0.0.2 is remote.
(I prefer using WAN address or some loopback as gre tunnel source)
if i do phase 1 completely fails either as loopback and that is correct cisco uses 172.16.16.2, changing the tunnel source to the loopback TS fails
afaik, ipsec policy settings (like remote/local network protocol) are negotiated during phase2
Phase 2 you are indeed correct i keep mixing them up so excuse that error, but if i don’t specify any remote or local networks SA is established perfectly fine. It’s pretty much 1 to 1 config of VyOS RSA setup for gre over ipsec but instead using psk tried doing loopbacks just nope.
slight update
VPN-IPSEC: 09[KNL] creating acquire job for policy 172.16.16.1/32[icmp/3(3)] === 172.16.16.2/32[icmp/3(3)] with reqid {6}
VPN-IPSEC: 09[IKE] <peer-test.r1.local-tunnel-1|10> establishing CHILD_SA peer-test.r1.local-tunnel-1{12} reqid 6
VPN-IPSEC: 09[ENC] <peer-test.r1.local-tunnel-1|10> generating CREATE_CHILD_SA request 0 [ SA No KE TSi TSr ]
VPN-IPSEC: 09[NET] <peer-test.r1.local-tunnel-1|10> sending packet: from 172.16.16.1[500] to 172.16.16.2[500] (384 bytes)
VPN-IPSEC: 12[NET] <peer-test.r1.local-tunnel-1|10> received packet: from 172.16.16.2[500] to 172.16.16.1[500] (80 bytes)
VPN-IPSEC: 12[ENC] <peer-test.r1.local-tunnel-1|10> parsed CREATE_CHILD_SA response 0 [ N(TS_UNACCEPT) ]
VPN-IPSEC: 12[IKE] <peer-test.r1.local-tunnel-1|10> received TS_UNACCEPTABLE notify, no CHILD_SA built
VPN-IPSEC: 12[IKE] <peer-test.r1.local-tunnel-1|10> failed to establish CHILD_SA, keeping IKE_SA
decided to go FQDN way i have set
set vpn ipsec site-to-site peer test.r1.local tunnel 1 protocol all
still throws that error any advise?
Traffic selectors (TS) are unacceptable. Phase 2
well i’m doing GRE over IPSEC while the branch is dynamic and headend is static. It’s rejecting the loopbacks legit doing a 1 to 1 example on your website but with a cisco device.
ALMOST THERE!!!
Router#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 172.16.16.2/500 172.16.16.1/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:21, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/29 sec
IPv6 Crypto IKEv2 SA