Hi All,
I am trying to establish ipsec connection. One Vyos VPN is behind NAT-GW so I am enabling the nat-t on both vpn instances. I am using VTI interface in both the VPN instances.
But it is failing in the IKE negotiation.
My topology looks like
VPN 1 <----> NAT-GW <----> VPN2(behind nat-gw)
VPN1 details
local address - 192.168.203.54
NAT-GW - 192.168.203.89
VPN2 details
local address - 192.168.20.9
ERROR on VPN1
VPN-IPSEC: packet from 192.168.203.89:52516: received Vendor ID payload [strongSwan]
VPN-IPSEC: packet from 192.168.203.89:52516: ignoring Vendor ID payload [Cisco-Unity]
VPN-IPSEC: packet from 192.168.203.89:52516: received Vendor ID payload [XAUTH]
VPN-IPSEC: packet from 192.168.203.89:52516: received Vendor ID payload [Dead Peer Detection]
VPN-IPSEC: packet from 192.168.203.89:52516: received Vendor ID payload [RFC 3947]
VPN-IPSEC: packet from 192.168.203.89:52516: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
VPN-IPSEC: packet from 192.168.203.89:52516: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
VPN-IPSEC: packet from 192.168.203.89:52516: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
VPN-IPSEC: packet from 192.168.203.89:52516: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
VPN-IPSEC: packet from 192.168.203.89:52516: initial Main Mode message received on 192.168.203.54:500 but no connection has been authorized with policy=PSK
IKE source port 500 is translated to 52516 and I am seeing this is the issue. When I added nat rule on nat-gw to exclude src port 500 from port address translation then it works but I don’t want to add such rule.
Can some one please help what is wrong here ?
VPN1 configuration
set interfaces vti vti0 address 40.0.0.2/30
Phase 2
set vpn ipsec esp-group ESP-Default compression ‘disable’
set vpn ipsec esp-group ESP-Default lifetime ‘3600’
set vpn ipsec esp-group ESP-Default mode ‘tunnel’
set vpn ipsec esp-group ESP-Default pfs ‘dh-group16’
set vpn ipsec esp-group ESP-Default proposal 1 encryption ‘aes256’
set vpn ipsec esp-group ESP-Default proposal 1 hash ‘sha256’
Phase 1
set vpn ipsec ike-group IKE-Default dead-peer-detection action ‘clear’
set vpn ipsec ike-group IKE-Default dead-peer-detection interval ‘30’
set vpn ipsec ike-group IKE-Default dead-peer-detection timeout ‘90’
set vpn ipsec ike-group IKE-Default ikev2-reauth ‘no’
set vpn ipsec ike-group IKE-Default key-exchange ‘ikev1’
set vpn ipsec ike-group IKE-Default lifetime ‘86400’
set vpn ipsec ike-group IKE-Default proposal 1 dh-group ‘16’
set vpn ipsec ike-group IKE-Default proposal 1 encryption ‘aes256’
set vpn ipsec ike-group IKE-Default proposal 1 hash ‘sha256’
Here you can of course set up your own interface which is used for VPN
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec logging log-modes ‘all’
Setup the site-2-site config
set vpn ipsec site-to-site peer 192.168.203.89 authentication id ‘192.168.203.54’
set vpn ipsec site-to-site peer 192.168.203.89 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 192.168.203.89 authentication pre-shared-secret ‘secret’
set vpn ipsec site-to-site peer 192.168.203.89 connection-type ‘initiate’
set vpn ipsec site-to-site peer 192.168.203.89 default-esp-group ‘ESP-Default’
set vpn ipsec site-to-site peer 192.168.203.89 ike-group ‘IKE-Default’
set vpn ipsec site-to-site peer 192.168.203.89 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 192.168.203.89 local-address ‘192.168.203.54’
Make use of our VTI interface
set vpn ipsec site-to-site peer 192.168.203.89 vti bind vti0
set vpn ipsec site-to-site peer 192.168.203.89 vti esp-group ESP-Default
set vpn ipsec nat-traversal enable
commit
save
exit
==================================================
VPN2 configuration
Virtual Tunnel Interface
set interfaces vti vti0 address 40.0.0.1/30
Phase 2
set vpn ipsec esp-group ESP-Default compression ‘disable’
set vpn ipsec esp-group ESP-Default lifetime ‘3600’
set vpn ipsec esp-group ESP-Default mode ‘tunnel’
set vpn ipsec esp-group ESP-Default pfs ‘dh-group16’
set vpn ipsec esp-group ESP-Default proposal 1 encryption ‘aes256’
set vpn ipsec esp-group ESP-Default proposal 1 hash ‘sha256’
Phase 1
set vpn ipsec ike-group IKE-Default dead-peer-detection action ‘clear’
set vpn ipsec ike-group IKE-Default dead-peer-detection interval ‘30’
set vpn ipsec ike-group IKE-Default dead-peer-detection timeout ‘90’
set vpn ipsec ike-group IKE-Default ikev2-reauth ‘no’
set vpn ipsec ike-group IKE-Default key-exchange ‘ikev1’
set vpn ipsec ike-group IKE-Default lifetime ‘86400’
set vpn ipsec ike-group IKE-Default proposal 1 dh-group ‘16’
set vpn ipsec ike-group IKE-Default proposal 1 encryption ‘aes256’
set vpn ipsec ike-group IKE-Default proposal 1 hash ‘sha256’
Here you can of course set up your own interface which is used for VPN
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec logging log-modes ‘all’
Setup the site-2-site config
set vpn ipsec site-to-site peer 192.168.203.54 authentication id ‘192.168.203.89’
set vpn ipsec site-to-site peer 192.168.203.54 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 192.168.203.54 authentication pre-shared-secret ‘secret’
set vpn ipsec site-to-site peer 192.168.203.54 connection-type ‘initiate’
set vpn ipsec site-to-site peer 192.168.203.54 default-esp-group ‘ESP-Default’
set vpn ipsec site-to-site peer 192.168.203.54 ike-group ‘IKE-Default’
set vpn ipsec site-to-site peer 192.168.203.54 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 192.168.203.54 local-address ‘192.168.20.9’
Make use of our VTI interface
set vpn ipsec site-to-site peer 192.168.203.54 vti bind vti0
set vpn ipsec site-to-site peer 192.168.203.54 vti esp-group ESP-Default
set vpn ipsec nat-traversal enable
commit
save
exit
Thanks,
Pritam Kharat