ver vyos 1.2.8
I have test other brands of equipment and ipsec settings are no problem, but if the two sides used vyos, it will happen that the traffic cannot pass through the vpn.
@server
set vpn ipsec esp-group ESPMAP2021 compression ‘enable’
set vpn ipsec esp-group ESPMAP2021 lifetime ‘10800’
set vpn ipsec esp-group ESPMAP2021 mode ‘tunnel’
set vpn ipsec esp-group ESPMAP2021 pfs ‘enable’
set vpn ipsec esp-group ESPMAP2021 proposal 1 encryption ‘aes128’
set vpn ipsec esp-group ESPMAP2021 proposal 1 hash ‘sha1’
set vpn ipsec ike-group IKEMAP2021 close-action ‘none’
set vpn ipsec ike-group IKEMAP2021 ikev2-reauth ‘no’
set vpn ipsec ike-group IKEMAP2021 key-exchange ‘ikev2’
set vpn ipsec ike-group IKEMAP2021 lifetime ‘36000’
set vpn ipsec ike-group IKEMAP2021 proposal 1 dh-group ‘14’
set vpn ipsec ike-group IKEMAP2021 proposal 1 encryption ‘aes128’
set vpn ipsec ike-group IKEMAP2021 proposal 1 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec site-to-site peer @client authentication id ‘100.100.100.1’
set vpn ipsec site-to-site peer @client authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer @client authentication pre-shared-secret ‘************’
set vpn ipsec site-to-site peer @client connection-type ‘initiate’
set vpn ipsec site-to-site peer @client ike-group ‘IKEMAP2021’
set vpn ipsec site-to-site peer @client ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer @client local-address ‘100.100.100.1’
set vpn ipsec site-to-site peer @client tunnel 0 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer @client tunnel 0 allow-public-networks ‘enable’
set vpn ipsec site-to-site peer @client tunnel 0 esp-group ‘ESPMAP2021’
set vpn ipsec site-to-site peer @client tunnel 0 local prefix ‘0.0.0.0/0’
set vpn ipsec site-to-site peer @client tunnel 0 remote prefix ‘200.200.200.0/30’
@client
set vpn ipsec esp-group ESPMAP2021 compression ‘enable’
set vpn ipsec esp-group ESPMAP2021 lifetime ‘10800’
set vpn ipsec esp-group ESPMAP2021 mode ‘tunnel’
set vpn ipsec esp-group ESPMAP2021 pfs ‘enable’
set vpn ipsec esp-group ESPMAP2021 proposal 1 encryption ‘aes128’
set vpn ipsec esp-group ESPMAP2021 proposal 1 hash ‘sha1’
set vpn ipsec ike-group IKEMAP2021 close-action ‘none’
set vpn ipsec ike-group IKEMAP2021 ikev2-reauth ‘no’
set vpn ipsec ike-group IKEMAP2021 key-exchange ‘ikev2’
set vpn ipsec ike-group IKEMAP2021 lifetime ‘36000’
set vpn ipsec ike-group IKEMAP2021 proposal 1 dh-group ‘14’
set vpn ipsec ike-group IKEMAP2021 proposal 1 encryption ‘aes128’
set vpn ipsec ike-group IKEMAP2021 proposal 1 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec nat-traversal ‘enable’
set vpn ipsec site-to-site peer 100.100.100.1 authentication id ‘@client’
set vpn ipsec site-to-site peer 100.100.100.1 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 100.100.100.1 authentication pre-shared-secret ‘************’
set vpn ipsec site-to-site peer 100.100.100.1 connection-type ‘initiate’
set vpn ipsec site-to-site peer 100.100.100.1 ike-group ‘IKEMAP2021’
set vpn ipsec site-to-site peer 100.100.100.1 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 100.100.100.1 local-address ‘192.168.100.241’
set vpn ipsec site-to-site peer 100.100.100.1 tunnel 0 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer 100.100.100.1 tunnel 0 allow-public-networks ‘enable’
set vpn ipsec site-to-site peer 100.100.100.1 tunnel 0 esp-group ‘ESPMAP2021’
set vpn ipsec site-to-site peer 100.100.100.1 tunnel 0 local prefix ‘200.200.200.0/30’
set vpn ipsec site-to-site peer 100.100.100.1 tunnel 0 remote prefix ‘0.0.0.0/0’
vyos@vyos:~$ show vpn ipsec sa
Connection State Up Bytes In/Out Remote address Remote ID Proposal
-------------------------------------- ------- --------- -------------- ---------------- ----------- ------------------------------------------------
peer-100.100.100.1-tunnel-0 up 8 minutes 60K/47K 100.100.100.1 N/A AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
passthrough-peer-100.100.100.1-tunnel-0 down N/A N/A N/A N/A N/A
vyos@vyos:~$
passthrough-peer-100.100.100.1-tunnel-0 always down ?
Aug 04 16:07:46 vyos charon[3231]: 13[IKE] <peer-100.100.100.1-tunnel-0|10> initiating IKE_SA peer-100.100.100.1-tunnel-0[10] to 100.100.100.1
Aug 04 16:07:46 vyos charon[3231]: 13[ENC] <peer-100.100.100.1-tunnel-0|10> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 04 16:07:46 vyos charon[3231]: 13[NET] <peer-100.100.100.1-tunnel-0|10> sending packet: from 192.168.100.241[500] to 100.100.100.1[500] (464 bytes)
Aug 04 16:07:46 vyos charon[3231]: 11[NET] <peer-100.100.100.1-tunnel-0|10> received packet: from 100.100.100.1[500] to 192.168.100.241[500] (464 bytes)
Aug 04 16:07:46 vyos charon[3231]: 11[ENC] <peer-100.100.100.1-tunnel-0|10> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Aug 04 16:07:46 vyos charon[3231]: 11[CFG] <peer-100.100.100.1-tunnel-0|10> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Aug 04 16:07:46 vyos charon[3231]: 11[IKE] <peer-100.100.100.1-tunnel-0|10> local host is behind NAT, sending keep alives
Aug 04 16:07:46 vyos charon[3231]: 11[IKE] <peer-100.100.100.1-tunnel-0|10> authentication of 'ship03' (myself) with pre-shared key
Aug 04 16:07:46 vyos charon[3231]: 11[IKE] <peer-100.100.100.1-tunnel-0|10> establishing CHILD_SA peer-100.100.100.1-tunnel-0{19}
Aug 04 16:07:46 vyos charon[3231]: 11[ENC] <peer-100.100.100.1-tunnel-0|10> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(IPCOMP_SUP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Aug 04 16:07:46 vyos charon[3231]: 11[NET] <peer-100.100.100.1-tunnel-0|10> sending packet: from 192.168.100.241[4500] to 100.100.100.1[4500] (268 bytes)
Aug 04 16:07:46 vyos charon[3231]: 12[NET] <peer-100.100.100.1-tunnel-0|10> received packet: from 100.100.100.1[4500] to 192.168.100.241[4500] (220 bytes)
Aug 04 16:07:46 vyos charon[3231]: 12[ENC] <peer-100.100.100.1-tunnel-0|10> parsed IKE_AUTH response 1 [ IDr AUTH N(IPCOMP_SUP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Aug 04 16:07:46 vyos charon[3231]: 12[IKE] <peer-100.100.100.1-tunnel-0|10> authentication of '100.100.100.1' with pre-shared key successful
Aug 04 16:07:46 vyos charon[3231]: 12[IKE] <peer-100.100.100.1-tunnel-0|10> IKE_SA peer-100.100.100.1-tunnel-0[10] established between 192.168.100.241[ship03]...100.100.100.1[100.100.100.1]
Aug 04 16:07:46 vyos charon[3231]: 12[IKE] <peer-100.100.100.1-tunnel-0|10> scheduling rekeying in 35316s
Aug 04 16:07:46 vyos charon[3231]: 12[IKE] <peer-100.100.100.1-tunnel-0|10> maximum IKE_SA lifetime 35856s
Aug 04 16:07:46 vyos charon[3231]: 12[CFG] <peer-100.100.100.1-tunnel-0|10> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Aug 04 16:07:46 vyos charon[3231]: 12[IKE] <peer-100.100.100.1-tunnel-0|10> CHILD_SA peer-100.100.100.1-tunnel-0{19} established with SPIs c4d8441e_i c623a624_o and TS 200.200.200.0/30 === 0.0.0.0/0
Aug 04 16:07:46 vyos charon[3231]: 12[IKE] <peer-100.100.100.1-tunnel-0|10> peer supports MOBIKE