I want to build this device 1 --> eth1 address 192.168.1.1/24 , vti0 172.16.25.1/30
device 2 --> eth1 address 192.168.1.2/24 , vti0 172.16.25.2/30
Device 1 eth1 direct connect Device 2 eth1
Then I can’t work ipsec site to site on ikev2
Because VTI tunnel can’t up
But i try key-exchange ikev1 is work and VTI tunnel up successful
How can work vpn ipsec site to site ikev2 with VTI ???
Device 1 configure
interfaces {
ethernet eth1 {
address 192.168.1.1/24
duplex auto
hw-id 08:35:71:ff:28:46
smp_affinity auto
speed auto
}
vti vti0 {
address 172.16.25.1/30
}
}
vpn {
ipsec {
esp-group ESP-R1 {
compression disable
lifetime 3600
mode tunnel
pfs dh-group5
proposal 1 {
encryption aes128
hash sha256
}
}
ike-group IKE-R1 {
dead-peer-detection {
action restart
interval 15
timeout 30
}
ikev2-reauth no
key-exchange ikev2
lifetime 3600
proposal 1 {
dh-group 5
encryption aes128
hash sha256
}
}
ipsec-interfaces {
interface eth1
}
nat-traversal enable
site-to-site {
peer 192.168.1.2 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
default-esp-group ESP-R1
ike-group IKE-R1
ikev2-reauth inherit
local-address 192.168.1.1
vti {
bind vti0
esp-group ESP-R1
}
}
}
}
}
Device 2 configure
interfaces {
ethernet eth1 {
address 192.168.1.2/24
duplex auto
hw-id 08:35:71:ff:29:46
smp_affinity auto
speed auto
}
vti vti0 {
address 172.16.25.2/30
}
}
vpn {
ipsec {
esp-group ESP-R2 {
compression disable
lifetime 3600
mode tunnel
pfs dh-group5
proposal 1 {
encryption aes128
hash sha256
}
}
ike-group IKE-R2 {
dead-peer-detection {
action restart
interval 15
timeout 30
}
ikev2-reauth no
key-exchange ikev2
lifetime 3600
proposal 1 {
dh-group 5
encryption aes128
hash sha256
}
}
ipsec-interfaces {
interface eth1
}
nat-traversal enable
site-to-site {
peer 192.168.1.1 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
default-esp-group ESP-R2
ike-group IKE-R2
ikev2-reauth inherit
local-address 192.168.1.2
vti {
bind vti0
esp-group ESP-R2
}
}
}
}
}