Hello all,
I’m having trouble setting up a site-to-site connection like this between two vyos installations.
One is running in my lab called “central” and one is running in the oracle cloud called “ingress”.
I have double and triple checked the configuration but I cannot get past IKE_SA_INIT.
“Central” is behind a NAT without a static address and is initiating the connection, “Ingess” is probably also behind a NAT but has a static IP courtesy of Oracle.
Ingress config:
vincent@ingress# show vpn
ipsec {
esp-group common {
pfs dh-group19
proposal 1 {
encryption aes128
hash sha1
}
proposal 2 {
encryption aes256gcm128
hash sha256
}
}
ike-group commonIKE {
key-exchange ikev2
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
proposal 2 {
dh-group 19
encryption aes256gcm128
hash sha256
}
}
interface eth0
log {
level 2
subsystem ike
}
site-to-site {
peer central {
authentication {
local-id ingress
mode rsa
remote-id central
rsa {
local-key ipsec-ingress
remote-key ipsec-central
}
}
connection-type respond
default-esp-group common
ike-group commonIKE
local-address 138.2.151.6
tunnel 1 {
local {
prefix 192.168.250.2/32
}
remote {
prefix 192.168.250.1/32
}
}
}
}
}
Central config:
vincent@central# show vpn
ipsec {
esp-group common {
pfs dh-group19
proposal 1 {
encryption aes128
hash sha1
}
proposal 2 {
encryption aes256gcm128
hash sha256
}
}
ike-group commonIKE {
key-exchange ikev2
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
proposal 2 {
dh-group 19
encryption aes256gcm128
hash sha256
}
}
interface eth0
site-to-site {
peer ingress {
authentication {
local-id central
mode rsa
remote-id ingress
rsa {
local-key ipsec-central
remote-key ipsec-ingress
}
}
connection-type initiate
default-esp-group common
ike-group commonIKE
local-address any
remote-address 138.2.151.6
tunnel 1 {
local {
prefix 192.168.250.1/32
}
remote {
prefix 192.168.250.2/32
}
}
}
}
}
This is the output of the log on the “Ingress”/Responder site:
vincent@ingress:~$ sudo swanctl --log
08[NET] received packet: from 138.199.18.65[10588] to 10.0.0.169[500] (372 bytes)
08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
08[IKE] no IKE config found for 10.0.0.169...138.199.18.65, sending NO_PROPOSAL_CHOSEN
08[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
08[NET] sending packet: from 10.0.0.169[500] to 138.199.18.65[10588] (36 bytes)
As you can see I’ve tried adding different proposals from the docs to both IKE and ESP groups but that didn’t help. At this point I assume it has something to do with the NAT but I think that should be an issue because I configured matching IDs in the authentication section and use RSA like in the docs, no?
Edit: version info is probably useful too
Version: VyOS 1.5-rolling-202310240118
Release train: current
Built by: autobuild@vyos.net
Built on: Tue 24 Oct 2023 02:41 UTC
Build UUID: 66471dfc-8348-4dbf-953e-133854c539ff
Build commit ID: 142e8770563716
Architecture: x86_64
Boot via: installed image
System type: KVM guest
Hardware vendor: QEMU
Hardware model: Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID: df3bd66b-a30a-42e2-a824-57439af15abb
Copyright: VyOS maintainers and contributors
I’ve tried scouring the internet but the issue seems to usually be solved by just matching the proposals which I have done.
Any help is appreciated.