IKE negotiation error for vpn instance behind nat-gw


#1

Hi All,

I am trying to establish ipsec connection. One Vyos VPN is behind NAT-GW so I am enabling the nat-t on both vpn instances. I am using VTI interface in both the VPN instances.
But it is failing in the IKE negotiation.

My topology looks like

VPN 1 <----> NAT-GW <----> VPN2(behind nat-gw)

VPN1 details
local address - 192.168.203.54

NAT-GW - 192.168.203.89

VPN2 details
local address - 192.168.20.9

ERROR on VPN1
VPN-IPSEC: packet from 192.168.203.89:52516: received Vendor ID payload [strongSwan]
VPN-IPSEC: packet from 192.168.203.89:52516: ignoring Vendor ID payload [Cisco-Unity]
VPN-IPSEC: packet from 192.168.203.89:52516: received Vendor ID payload [XAUTH]
VPN-IPSEC: packet from 192.168.203.89:52516: received Vendor ID payload [Dead Peer Detection]
VPN-IPSEC: packet from 192.168.203.89:52516: received Vendor ID payload [RFC 3947]
VPN-IPSEC: packet from 192.168.203.89:52516: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
VPN-IPSEC: packet from 192.168.203.89:52516: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
VPN-IPSEC: packet from 192.168.203.89:52516: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
VPN-IPSEC: packet from 192.168.203.89:52516: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
VPN-IPSEC: packet from 192.168.203.89:52516: initial Main Mode message received on 192.168.203.54:500 but no connection has been authorized with policy=PSK

IKE source port 500 is translated to 52516 and I am seeing this is the issue. When I added nat rule on nat-gw to exclude src port 500 from port address translation then it works but I don’t want to add such rule.
Can some one please help what is wrong here ?

VPN1 configuration

set interfaces vti vti0 address 40.0.0.2/30

Phase 2

set vpn ipsec esp-group ESP-Default compression ‘disable’
set vpn ipsec esp-group ESP-Default lifetime ‘3600’
set vpn ipsec esp-group ESP-Default mode ‘tunnel’
set vpn ipsec esp-group ESP-Default pfs ‘dh-group16’
set vpn ipsec esp-group ESP-Default proposal 1 encryption ‘aes256’
set vpn ipsec esp-group ESP-Default proposal 1 hash ‘sha256’

Phase 1

set vpn ipsec ike-group IKE-Default dead-peer-detection action ‘clear’
set vpn ipsec ike-group IKE-Default dead-peer-detection interval ‘30’
set vpn ipsec ike-group IKE-Default dead-peer-detection timeout ‘90’
set vpn ipsec ike-group IKE-Default ikev2-reauth ‘no’
set vpn ipsec ike-group IKE-Default key-exchange ‘ikev1’
set vpn ipsec ike-group IKE-Default lifetime ‘86400’
set vpn ipsec ike-group IKE-Default proposal 1 dh-group ‘16’
set vpn ipsec ike-group IKE-Default proposal 1 encryption ‘aes256’
set vpn ipsec ike-group IKE-Default proposal 1 hash ‘sha256’

Here you can of course set up your own interface which is used for VPN

set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec logging log-modes ‘all’

Setup the site-2-site config

set vpn ipsec site-to-site peer 192.168.203.89 authentication id ‘192.168.203.54’
set vpn ipsec site-to-site peer 192.168.203.89 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 192.168.203.89 authentication pre-shared-secret ‘secret’
set vpn ipsec site-to-site peer 192.168.203.89 connection-type ‘initiate’
set vpn ipsec site-to-site peer 192.168.203.89 default-esp-group ‘ESP-Default’
set vpn ipsec site-to-site peer 192.168.203.89 ike-group ‘IKE-Default’
set vpn ipsec site-to-site peer 192.168.203.89 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 192.168.203.89 local-address ‘192.168.203.54’

Make use of our VTI interface

set vpn ipsec site-to-site peer 192.168.203.89 vti bind vti0
set vpn ipsec site-to-site peer 192.168.203.89 vti esp-group ESP-Default
set vpn ipsec nat-traversal enable

commit
save
exit

==================================================
VPN2 configuration

Virtual Tunnel Interface

set interfaces vti vti0 address 40.0.0.1/30

Phase 2

set vpn ipsec esp-group ESP-Default compression ‘disable’
set vpn ipsec esp-group ESP-Default lifetime ‘3600’
set vpn ipsec esp-group ESP-Default mode ‘tunnel’
set vpn ipsec esp-group ESP-Default pfs ‘dh-group16’
set vpn ipsec esp-group ESP-Default proposal 1 encryption ‘aes256’
set vpn ipsec esp-group ESP-Default proposal 1 hash ‘sha256’

Phase 1

set vpn ipsec ike-group IKE-Default dead-peer-detection action ‘clear’
set vpn ipsec ike-group IKE-Default dead-peer-detection interval ‘30’
set vpn ipsec ike-group IKE-Default dead-peer-detection timeout ‘90’
set vpn ipsec ike-group IKE-Default ikev2-reauth ‘no’
set vpn ipsec ike-group IKE-Default key-exchange ‘ikev1’
set vpn ipsec ike-group IKE-Default lifetime ‘86400’
set vpn ipsec ike-group IKE-Default proposal 1 dh-group ‘16’
set vpn ipsec ike-group IKE-Default proposal 1 encryption ‘aes256’
set vpn ipsec ike-group IKE-Default proposal 1 hash ‘sha256’

Here you can of course set up your own interface which is used for VPN

set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec logging log-modes ‘all’

Setup the site-2-site config

set vpn ipsec site-to-site peer 192.168.203.54 authentication id ‘192.168.203.89’
set vpn ipsec site-to-site peer 192.168.203.54 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 192.168.203.54 authentication pre-shared-secret ‘secret’
set vpn ipsec site-to-site peer 192.168.203.54 connection-type ‘initiate’
set vpn ipsec site-to-site peer 192.168.203.54 default-esp-group ‘ESP-Default’
set vpn ipsec site-to-site peer 192.168.203.54 ike-group ‘IKE-Default’
set vpn ipsec site-to-site peer 192.168.203.54 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 192.168.203.54 local-address ‘192.168.20.9’

Make use of our VTI interface

set vpn ipsec site-to-site peer 192.168.203.54 vti bind vti0
set vpn ipsec site-to-site peer 192.168.203.54 vti esp-group ESP-Default

set vpn ipsec nat-traversal enable

commit
save
exit

Thanks,
Pritam Kharat


#2

I am hitting same issue even when tunnel is used instead of vti.
VPN-IPSEC: packet from x.x.x.x:yyyy initial Main Mode message received on a.b.c.d:500 but no connection has been authorized with policy=PSK
this happens when ikev1 is used, ikev2 has no issue
could not find relevant information about the same. Appreciate any help.