Help with IPSEC Site-to-Site VPN


#1

I am trying to create an IPSEC tunnel between two VYOS routers - 1 hosted behind home router/NAT, and one in AWS in a VPC with an elastic IP.

So far, I have been able to get IKE up but the IPSEC tunnel stays down no matter what I try.

For the home router, I have done port forwarding to the VYOS (UDP 500, UDP 4500).
For the AWS VYOS EC2 instance, I have disabled src/dst check and enabled the same ports on the security group.

Here is the router VPN config I am using…
Any help or pointers is greatly appreciated!

vyos@vyos:~$ sh vpn ike sa
Peer ID / IP Local ID / IP


52.77.xxx.xxx 192.168.2.1

State  Encrypt  Hash    D-H Grp  NAT-T  A-Time  L-Time
-----  -------  ----    -------  -----  ------  ------
up     aes256   sha1_96 2        no     1800    3600

vyos@vyos:~$ sh vpn ipsec sa
Peer ID / IP Local ID / IP


52.77.xxx.xxx 192.168.2.1

Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
------  -----  -------------  -------  ----    -----  ------  ------  -----
1       down   n/a            n/a      n/a     no     0       1800    all

Home VYOS config:

vyos@vyos# sh vpn
ipsec {
esp-group esp_test_1 {
compression disable
lifetime 1800
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group ike_test_1 {
key-exchange ikev2
lifetime 3600
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
site-to-site {
peer 52.77.xxx.xxx {
authentication {
id 192.168.2.1
mode pre-shared-secret
pre-shared-secret XXXXXXXXXXXX
remote-id 172.31.17.208
}
default-esp-group esp_test_1
ike-group ike_test_1
local-address 192.168.2.1
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 192.168.0.0/22
}
remote {
prefix 172.31.16.0/20
}
}
}
}
}

AWS EC2 VYOS config:

ipsec {
esp-group esp_test_1 {
compression disable
lifetime 1800
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
esp-group office-srv-esp {
compression disable
lifetime 1800
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group ike_test_1 {
key-exchange ikev2
lifetime 3600
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
ike-group office-srv-ike {
ikev2-reauth no
key-exchange ikev1
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
site-to-site {
peer 116.xxx.xxx.xxx {
authentication {
id 172.31.17.208
mode pre-shared-secret
pre-shared-secret XXXXXXXXXXXX
remote-id 192.168.2.1
}
default-esp-group esp_test_1
ike-group ike_test_1
local-address 172.31.17.208
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 172.31.16.0/20
}
remote {
prefix 192.168.0.0/22
}
}
}
}
}


#2

Do you also have opened IP protocol 50 (ESP) on the firewall?


#3

Both sides are behind NAT.
A Asus router NAT at home, and AWS NATs the elastic IP to the private IP of the vyos EC2 instance.

So protocol 50 is no longer applicable right?
(Also, I dont think i can port forward protocol 50 on the Asus router)


#4

Can you share logs?