Ipsec going out over local address instead of vrrp vip

chris.newton · May 6, 2020, 11:06pm

I’m trying to configure ipsec on VyOS 1.2.4 VRRP cluster.
My problem is the traffic trying to initiate IKE1 to AWS is going out over the local IP instead of the VRRP VIP. I am setting the local IP of the ipsec to be the VRRP VIP and not the local address, but when I tcpdump it the traffic is still initiating to AWS from the local IP.

VRRP looks like this:
set high-availability vrrp group VLAN_768 description ‘VLAN_768 Currently not VLAN tagging this main public side transit VLAN’
set high-availability vrrp group VLAN_768 hello-source-address ‘63.199.170.235’
set high-availability vrrp group VLAN_768 interface ‘bond1’
set high-availability vrrp group VLAN_768 no-preempt
set high-availability vrrp group VLAN_768 priority ‘254’
set high-availability vrrp group VLAN_768 virtual-address ‘63.199.170.237/29’
set high-availability vrrp group VLAN_768 vrid ‘1’
set high-availability vrrp sync-group MainSyncGroup member ‘VLAN_768’

ipsec looks like this:
set vpn ipsec site-to-site peer 99.88.77.66 connection-type ‘initiate’
set vpn ipsec site-to-site peer 99.88.77.66 description ‘SRS-32846_AWS_slt_main_1’
set vpn ipsec site-to-site peer 99.88.77.66 ike-group ‘aws-sr’
set vpn ipsec site-to-site peer 99.88.77.66 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 99.88.77.66 local-address ‘63.199.170.237’
set vpn ipsec site-to-site peer 99.88.77.66 vti bind ‘vti0’
set vpn ipsec site-to-site peer 99.88.77.66 vti esp-group ‘aws-sr’

tcpdump looks like this:
22:42:46.925570 IP 63.199.170.235.500 > 99.88.77.66.500: isakmp: phase 1 I ident

Would cluster be a better choice over VRRP or is there a way to make this work with VRRP?
Any help appreciated. Thanks.

tjh · May 6, 2020, 11:25pm

First of all, welcome to the Vyos forums.

If you can reliably reproduce this all the time (I’m not in a position to test this I’m afraid) then I would suggest logging a bug (with as much detail as possible, sanitized of course) to https://phabricator.vyos.net/

chris.newton · May 7, 2020, 2:25am

Thank you. I have filed a support ticket as well. Not sure if you are the same guy that would be looking at that. I’ll update here if I learn anything.

tjh · May 7, 2020, 2:35am

I won’t be the guy, no. I’m just a Vyos fan who tries to help others!

chris.newton · May 13, 2020, 2:27pm

Solved.
I opened a ticket with the Sentrium/VYOS folks and they impressively figured out my problem very quickly. Turns out it was not a bug at all but a stupid NAT misconfiguration for all traffic going out through the ipsec interface.

A couple of commands they gave me to help troubleshoot the ipsec/openswan part of the configuration were:
sudo journalctl /usr/lib/ipsec/charon | grep ‘IKE_SA peer-89-89-89-89-tunnel-vti’

or check for local and remote values in:

sudo swanctl -l -i peer-89-89-89-89-tunnel-vti

Once it was clear that ipsec was configured correctly they zerod in on my NAT misconfig.

Very happy to see VYOS alive and well with an active community!

Thanks.

system · May 15, 2020, 2:27pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.