Hello everyone. I have a client with an unstable internet connection (cough, AT&T, cough). When their service comes back online, their VPN doesn’t come back up and “show vpn ipsec connections” shows IKE2 as up and IPsec as down. If I reset the connection with “reset vpn ipsec-peer” followed by their IP address or “restart vpn”, all is well.
The VPN is running on an internal router behind the internet facing router which has a NAT firewall. I’m using VyOS 1.3.2 compiled from source.
So, am I missing something in the configuration?
Thanks,
Spice
Simple diagram (with the IP addresses changed to protect the guilty):
[Internet]
|
[eth1/10.186.141.100 external router eth0/10.16.9.1]
|
(internal VLAN)
|
[eth0/10.16.9.140 internal router eth1/10.16.44.1]
|
(client VLAN)
Also, the configuration I’m using (for brevity, just the “set commands”):
External router:
set nat destination rule 4000 description ‘client vpn inbound from office’
set nat destination rule 4000 destination address ‘10.186.141.100’
set nat destination rule 4000 inbound-interface ‘eth1’
set nat destination rule 4000 source address ‘10.7.191.75’
set nat destination rule 4000 translation address ‘10.16.9.140’
set nat source rule 4002 description ‘TRF ipsec outbound’
set nat source rule 4002 destination address ‘10.7.191.75’
set nat source rule 4002 outbound-interface ‘eth1’
set nat source rule 4002 source address ‘10.16.9.140’
set nat source rule 4002 translation address ‘10.186.141.100’
Internal router:
set vpn ipsec esp-group trf-esp compression ‘disable’
set vpn ipsec esp-group trf-esp lifetime ‘1800’
set vpn ipsec esp-group trf-esp mode ‘tunnel’
set vpn ipsec esp-group trf-esp pfs ‘disable’
set vpn ipsec esp-group trf-esp proposal 1 encryption ‘aes256’
set vpn ipsec esp-group trf-esp proposal 1 hash ‘sha256’
set vpn ipsec ike-group trf-ike close-action ‘restart’
set vpn ipsec ike-group trf-ike ikev2-reauth ‘yes’
set vpn ipsec ike-group trf-ike key-exchange ‘ikev2’
set vpn ipsec ike-group trf-ike lifetime ‘86400’
set vpn ipsec ike-group trf-ike proposal 1 dh-group ‘2’
set vpn ipsec ike-group trf-ike proposal 1 encryption ‘aes256’
set vpn ipsec ike-group trf-ike proposal 1 hash ‘sha256’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec site-to-site peer 104.7.191.75 authentication id ‘10.186.141.100’
set vpn ipsec site-to-site peer 104.7.191.75 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 104.7.191.75 authentication pre-shared-secret ‘secret’
set vpn ipsec site-to-site peer 104.7.191.75 connection-type ‘initiate’
set vpn ipsec site-to-site peer 104.7.191.75 default-esp-group ‘trf-esp’
set vpn ipsec site-to-site peer 104.7.191.75 description ‘TRF Office’
set vpn ipsec site-to-site peer 104.7.191.75 ike-group ‘trf-ike’
set vpn ipsec site-to-site peer 104.7.191.75 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 104.7.191.75 local-address ‘10.16.9.140’
set vpn ipsec site-to-site peer 104.7.191.75 tunnel 0 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer 104.7.191.75 tunnel 0 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer 104.7.191.75 tunnel 0 esp-group ‘trf-esp’
set vpn ipsec site-to-site peer 104.7.191.75 tunnel 0 local prefix ‘10.16.44.0/24’
set vpn ipsec site-to-site peer 104.7.191.75 tunnel 0 remote prefix ‘10.18.21.0/24’