I am trying to create an IPSEC tunnel between two VYOS routers - 1 hosted behind home router/NAT, and one in AWS in a VPC with an elastic IP.
So far, I have been able to get IKE up but the IPSEC tunnel stays down no matter what I try.
For the home router, I have done port forwarding to the VYOS (UDP 500, UDP 4500).
For the AWS VYOS EC2 instance, I have disabled src/dst check and enabled the same ports on the security group.
Here is the router VPN config I am using…
Any help or pointers is greatly appreciated!
vyos@vyos:~$ sh vpn ike sa
Peer ID / IP Local ID / IP
52.77.xxx.xxx 192.168.2.1
State Encrypt Hash D-H Grp NAT-T A-Time L-Time
----- ------- ---- ------- ----- ------ ------
up aes256 sha1_96 2 no 1800 3600
vyos@vyos:~$ sh vpn ipsec sa
Peer ID / IP Local ID / IP
52.77.xxx.xxx 192.168.2.1
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
1 down n/a n/a n/a no 0 1800 all
Home VYOS config:
vyos@vyos# sh vpn
ipsec {
esp-group esp_test_1 {
compression disable
lifetime 1800
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group ike_test_1 {
key-exchange ikev2
lifetime 3600
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
site-to-site {
peer 52.77.xxx.xxx {
authentication {
id 192.168.2.1
mode pre-shared-secret
pre-shared-secret XXXXXXXXXXXX
remote-id 172.31.17.208
}
default-esp-group esp_test_1
ike-group ike_test_1
local-address 192.168.2.1
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 192.168.0.0/22
}
remote {
prefix 172.31.16.0/20
}
}
}
}
}
AWS EC2 VYOS config:
ipsec {
esp-group esp_test_1 {
compression disable
lifetime 1800
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
esp-group office-srv-esp {
compression disable
lifetime 1800
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group ike_test_1 {
key-exchange ikev2
lifetime 3600
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
ike-group office-srv-ike {
ikev2-reauth no
key-exchange ikev1
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
site-to-site {
peer 116.xxx.xxx.xxx {
authentication {
id 172.31.17.208
mode pre-shared-secret
pre-shared-secret XXXXXXXXXXXX
remote-id 192.168.2.1
}
default-esp-group esp_test_1
ike-group ike_test_1
local-address 172.31.17.208
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 172.31.16.0/20
}
remote {
prefix 192.168.0.0/22
}
}
}
}
}