IPSEC down in GRE-OVER-IPsec

syed · April 11, 2017, 9:58pm

Problem Description:

Gre over Ipsec b/w Vyos and Vyatta not working , IKE is up but IPsec down.

GRE-IPSEC B/w VYOS and Vyatta:

Topology:

VYOS(172.31.61.122)—1:1NAT GW —Y.Y.Y.Y———————GRE-IPSEC——————(X.X.X.X)—VYATTA

WHERE X.X.X.X & Y.Y.Y.Y ARE PUBLIC IPs

VYOS-STATIC-NAT-AWS:

wanclouds@VyOS-AMI-ZAYAD:~$ show configuration commands | grep vpn
set vpn ipsec esp-group ESP-1W0 lifetime ‘86400’
set vpn ipsec esp-group ESP-1W0 mode ‘transport’
set vpn ipsec esp-group ESP-1W0 pfs ‘dh-group5’
set vpn ipsec esp-group ESP-1W0 proposal 1 encryption ‘3des’
set vpn ipsec esp-group ESP-1W0 proposal 1 hash ‘md5’
set vpn ipsec ike-group IKE-1W0 lifetime ‘86400’
set vpn ipsec ike-group IKE-1W0 proposal 1 dh-group ‘5’
set vpn ipsec ike-group IKE-1W0 proposal 1 encryption ‘aes256’
set vpn ipsec ike-group IKE-1W0 proposal 1 hash ‘md5’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec nat-traversal ‘enable’
set vpn ipsec site-to-site peer X.X.X.X authentication id ‘419b9c8ee2544d598bf209173640f934’
set vpn ipsec site-to-site peer X.X.X.X authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer X.X.X.X authentication pre-shared-secret ‘62066c88582a411390965d7827d2780c’
set vpn ipsec site-to-site peer X.X.X.X authentication remote-id ‘419b9c8ee2544d598bf209173640f934’
set vpn ipsec site-to-site peer X.X.X.X default-esp-group ‘ESP-1W0’
set vpn ipsec site-to-site peer X.X.X.X ike-group ‘IKE-1W0’
set vpn ipsec site-to-site peer X.X.X.X local-address ‘172.31.61.122’
set vpn ipsec site-to-site peer X.X.X.X tunnel 0 protocol ‘gre’
wanclouds@VyOS-AMI-ZAYAD:~$
wanclouds@VyOS-AMI-ZAYAD:~$
wanclouds@VyOS-AMI-ZAYAD:~$ show configuration commands | grep tunnel
set interfaces tunnel tun0 address ‘172.168.100.198/24’
set interfaces tunnel tun0 encapsulation ‘gre’
set interfaces tunnel tun0 local-ip ‘172.31.61.122’
set interfaces tunnel tun0 multicast ‘enable’
set interfaces tunnel tun0 remote-ip ‘X.X.X.X’
set vpn ipsec site-to-site peer X.X.X.X tunnel 0 protocol ‘gre’
wanclouds@VyOS-AMI-ZAYAD:~$
wanclouds@VyOS-AMI-ZAYAD:~$
wanclouds@VyOS-AMI-ZAYAD:~$ show log
log login
wanclouds@VyOS-AMI-ZAYAD:~$ show vpn ike sa
Peer ID / IP Local ID / IP

X.X.X.X 172.31.61.122

State  Encrypt  Hash    D-H Grp  NAT-T  A-Time  L-Time
-----  -------  ----    -------  -----  ------  ------
up     aes256   md5     5        yes    3658    86400

wanclouds@VyOS-AMI-ZAYAD:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP

X.X.X.X 172.31.61.122

Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
------  -----  -------------  -------  ----    -----  ------  ------  -----
0       down   n/a            n/a      n/a     yes    0       86400   gre

wanclouds@VyOS-AMI-ZAYAD:~$ show log
log login
wanclouds@VyOS-AMI-ZAYAD:~$ show log tail -20
Apr 11 21:30:45 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #410: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Apr 11 21:30:45 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #410: starting keying attempt 37 of an unlimited number
Apr 11 21:30:45 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #428: initiating Quick Mode PSK+ENCRYPT+PFS+UP to replace #410 {using isakmp#15}
Apr 11 21:30:45 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #15: ignoring informational payload, type INVALID_MESSAGE_ID
Apr 11 21:30:45 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #15: next payload type of ISAKMP Hash Payload has an unknown value: 58
Apr 11 21:30:45 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #15: malformed payload in packet
Apr 11 21:30:47 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #15: ignoring informational payload, type INVALID_MESSAGE_ID
Apr 11 21:30:54 VyOS-AMI-ZAYAD pluto[12059]: last message repeated 3 times
Apr 11 21:30:54 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #411: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Apr 11 21:30:54 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #411: starting keying attempt 42 of an unlimited number
Apr 11 21:30:54 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #429: initiating Quick Mode PSK+ENCRYPT+PFS+UP to replace #411 {using isakmp#15}
Apr 11 21:30:54 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #15: next payload type of ISAKMP Hash Payload has an unknown value: 72
Apr 11 21:30:54 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #15: malformed payload in packet
Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #15: ignoring informational payload, type INVALID_MESSAGE_ID
Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #412: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #412: starting keying attempt 15 of an unlimited number
Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #430: initiating Quick Mode PSK+ENCRYPT+PFS+UP to replace #412 {using isakmp#15}
Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #15: ignoring informational payload, type INVALID_MESSAGE_ID
Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #15: byte 2 of ISAKMP Hash Payload must be zero, but is not
Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #15: malformed payload in packet
wanclouds@VyOS-AMI-ZAYAD:~$
wanclouds@VyOS-AMI-ZAYAD:~$

VYATTA-PUBLIC-IP:

vyatta@gw-melbourne1-02-06-2016:~$ show configuration commands | grep vpn
set vpn ipsec esp-group ESP-1W0 lifetime ‘86400’
set vpn ipsec esp-group ESP-1W0 mode ‘transport’
set vpn ipsec esp-group ESP-1W0 pfs ‘dh-group5’
set vpn ipsec esp-group ESP-1W0 proposal 1 encryption ‘3des’
set vpn ipsec esp-group ESP-1W0 proposal 1 hash ‘md5’
set vpn ipsec ike-group IKE-1W0 lifetime ‘86400’
set vpn ipsec ike-group IKE-1W0 proposal 1 dh-group ‘5’
set vpn ipsec ike-group IKE-1W0 proposal 1 encryption ‘aes256’
set vpn ipsec ike-group IKE-1W0 proposal 1 hash ‘md5’
set vpn ipsec ipsec-interfaces interface ‘bond1v1’
set vpn ipsec nat-traversal ‘enable’
set vpn ipsec site-to-site peer Y.Y.Y.Y authentication id ‘419b9c8ee2544d598bf209173640f934’
set vpn ipsec site-to-site peer Y.Y.Y.Y authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer Y.Y.Y.Y authentication pre-shared-secret ‘62066c88582a411390965d7827d2780c’
set vpn ipsec site-to-site peer Y.Y.Y.Y authentication remote-id ‘419b9c8ee2544d598bf209173640f934’
set vpn ipsec site-to-site peer Y.Y.Y.Y default-esp-group ‘ESP-1W0’
set vpn ipsec site-to-site peer Y.Y.Y.Y ike-group ‘IKE-1W0’
set vpn ipsec site-to-site peer Y.Y.Y.Y local-address ‘X.X.X.X’
set vpn ipsec site-to-site peer Y.Y.Y.Y tunnel 0 protocol ‘gre’
vyatta@gw-melbourne1-02-06-2016:~$
vyatta@gw-melbourne1-02-06-2016:~$
vyatta@gw-melbourne1-02-06-2016:~$
vyatta@gw-melbourne1-02-06-2016:~$ show configuration commands | grep tunnel
set interfaces tunnel tun0 address ‘172.168.100.163/24’
set interfaces tunnel tun0 encapsulation ‘gre’
set interfaces tunnel tun0 local-ip ‘X.X.X.X’
set interfaces tunnel tun0 multicast ‘enable’
set interfaces tunnel tun0 remote-ip ‘Y.Y.Y.Y’
set vpn ipsec site-to-site peer Y.Y.Y.Y tunnel 0 protocol ‘gre’
vyatta@gw-melbourne1-02-06-2016:~$
vyatta@gw-melbourne1-02-06-2016:~$
vyatta@gw-melbourne1-02-06-2016:~$ show vpn ike sa
Peer ID / IP Local ID / IP

Y.Y.Y.Y X.X.X.X

State  Encrypt  Hash  D-H Grp  NAT-T  A-Time  L-Time
-----  -------  ----  -------  -----  ------  ------
up     aes256   md5   5        yes    3377    86400

vyatta@gw-melbourne1-02-06-2016:~$
vyatta@gw-melbourne1-02-06-2016:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP

Y.Y.Y.Y X.X.X.X

Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto
------  -----  -------------  -------  ----  -----  ------  ------  -----
0       down   n/a            n/a      n/a   yes    0       86400   gre

vyatta@gw-melbourne1-02-06-2016:~$ show log tail -25
Apr 11 16:32:18 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
Apr 11 16:32:18 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: cannot respond to IPsec SA request because no connection is known for X.X.X.X:4500[419b9c8ee2544d598bf209173640f934]:47/0…Y.Y.Y.Y:4500[419b9c8ee2544d598bf209173640f934]:47/0===172.31.61.122/32
Apr 11 16:32:18 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: sending encrypted notification INVALID_ID_INFORMATION to Y.Y.Y.Y:4500
Apr 11 16:32:19 gw-melbourne1-02-06-2016 sshd[10183]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.177.172.60 user=root
Apr 11 16:32:20 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x8e4cb23d (perhaps this is a duplicated packet)
Apr 11 16:32:20 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
Apr 11 16:32:21 gw-melbourne1-02-06-2016 sshd[10181]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.177.172.60 user=root
Apr 11 16:32:21 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x80a5a69d (perhaps this is a duplicated packet)
Apr 11 16:32:21 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
Apr 11 16:32:23 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: cannot respond to IPsec SA request because no connection is known for X.X.X.X:4500[419b9c8ee2544d598bf209173640f934]:47/0…Y.Y.Y.Y:4500[419b9c8ee2544d598bf209173640f934]:47/0===172.31.61.122/32
Apr 11 16:32:23 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: sending encrypted notification INVALID_ID_INFORMATION to Y.Y.Y.Y:4500
Apr 11 16:32:24 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xe95143e1 (perhaps this is a duplicated packet)
Apr 11 16:32:24 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
Apr 11 16:32:25 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xac9835cc (perhaps this is a duplicated packet)
Apr 11 16:32:25 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
Apr 11 16:32:26 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x1c6d8a04 (perhaps this is a duplicated packet)
Apr 11 16:32:26 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
Apr 11 16:32:28 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x10df76cd (perhaps this is a duplicated packet)
Apr 11 16:32:28 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
Apr 11 16:32:32 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x83384514 (perhaps this is a duplicated packet)
Apr 11 16:32:32 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
Apr 11 16:32:32 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: cannot respond to IPsec SA request because no connection is known for X.X.X.X:4500[419b9c8ee2544d598bf209173640f934]:47/0…Y.Y.Y.Y:4500[419b9c8ee2544d598bf209173640f934]:47/0===172.31.61.122/32
Apr 11 16:32:32 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: sending encrypted notification INVALID_ID_INFORMATION to Y.Y.Y.Y:4500
Apr 11 16:32:33 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x142e7918 (perhaps this is a duplicated packet)
Apr 11 16:32:33 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
vyatta@gw-melbourne1-02-06-2016:~$

sarath · October 29, 2018, 1:22pm

you got the answer to this