Ipsec tunnel not returning traffic, stuck

Hi Team

I’ve built a VPN from site A (VYOS) to site B (non VYOS). The tunnel is up, but traffic does not return.

Site A is 198.18.1.1 and Site B is 198.18.1.2.

Lets assume I cannot find out what the local LAN subnet is on 198.18.1.2.

I can see the traffic using a packet trace coming over the tunnel, but it just never sends anything back it also doesnt send the ping out, it just doesnt do anything. Just states no response seen. I think I need to do something with NAT to possibly get it back into the tunnel.

Can someone help me please?

KR
Jazzy

set vpn ipsec esp-group policy1 compression 'disable'
set vpn ipsec esp-group policy1 lifetime '1800'
set vpn ipsec esp-group policy1 mode 'tunnel'
set vpn ipsec esp-group policy1 pfs 'enable'
set vpn ipsec esp-group policy1 proposal 1 encryption 'aes256'
set vpn ipsec esp-group policy1 proposal 1 hash 'sha256'
set vpn ipsec esp-group policy2 compression 'disable'
set vpn ipsec esp-group policy2 lifetime '1800'
set vpn ipsec esp-group policy2 mode 'transport'
set vpn ipsec esp-group policy2 pfs 'enable'
set vpn ipsec esp-group policy2 proposal 1 encryption 'aes256'
set vpn ipsec esp-group policy2 proposal 1 hash 'sha256'
set vpn ipsec ike-group policy1 ikev2-reauth 'no'
set vpn ipsec ike-group policy1 key-exchange 'ikev2'
set vpn ipsec ike-group policy1 lifetime '3600'
set vpn ipsec ike-group policy1 mode 'aggressive'
set vpn ipsec ike-group policy1 proposal 1 dh-group '14'
set vpn ipsec ike-group policy1 proposal 1 encryption 'aes256'
set vpn ipsec ike-group policy1 proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth1.1'
set vpn ipsec logging log-level '2'
set vpn ipsec site-to-site peer 198.18.1.2 authentication id '198.18.1.1'
set vpn ipsec site-to-site peer 198.18.1.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 198.18.1.2 authentication pre-shared-secret 'xxxx'
set vpn ipsec site-to-site peer 198.18.1.2 authentication remote-id 'DEV-NO01-1_INET1@198.18.1.1'
set vpn ipsec site-to-site peer 198.18.1.2 ike-group 'policy1'
set vpn ipsec site-to-site peer 198.18.1.2 local-address '198.18.1.1'
set vpn ipsec site-to-site peer 198.18.1.2 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 198.18.1.2 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 198.18.1.2 tunnel 0 esp-group 'policy2'

Hi

some settings are missing , if you want to create a vpn-ipsec(base) you need to local prefix/ remote prefix :

set vpn ipsec site-to-site peer x.x.xx tunnel 0 local prefix '192.18.1.0/24'
set vpn ipsec site-to-site peer x.x.x.x tunnel 0 remote prefix 'x.x.x.x/x' 

also if you want check our documentation , there are several examples about ipsec vpn :

https://docs.vyos.io/en/equuleus/configuration/vpn/site2site_ipsec.html

I can’t add x.x.x.x/x because I don’t know what the source subnet is. I did try putting a 0.0.0.0/0 there but it caused all traffic to go via the IPSEC in turn loosing connection to the device.

Hi @JazzyJ ,

In such cases dynamic routing and VTI interfaces are suitable.
Example:
https://support.vyos.io/en/kb/articles/aws-site-to-site-vpn-using-vti-and-bgp-to-update-dynamic-routing

AWS example, but the VyOS part is generic.

I also went up against a comparable issue anyway as of now it is agreed to me. Much gratitude to you for the help.

Thanks for the suggestion. I know I can use VTIs or dynamic routing, but I’m just looking for a method where essentially I can just NAT whenever comes in on the VYOS IPSEC tunnel eliminating the need for specifying the remote IP addresses. As I previously said, I don’t know what the remote addresses are. There must be some way? Let me know if I’m not making sense? Cheers

Hi @JazzyJ , May I know who would be initiating the traffic ? Does the LAN of site B initiates the traffic ? Would they be reaching out to any specific IP address or port of the other of Site A?

In my lab setup, Site A initiates the traffic, so I configured the source NAT and static route via vti0 and have only configured the ipsec part in Site B.

Site A:

set vpn ipsec esp-group esp1 compression 'disable'
set vpn ipsec esp-group esp1 lifetime '27000'
set vpn ipsec esp-group esp1 mode 'tunnel'
set vpn ipsec esp-group esp1 pfs 'disable'
set vpn ipsec esp-group esp1 proposal 1 encryption 'aes128'
set vpn ipsec esp-group esp1 proposal 1 hash 'sha1'
set vpn ipsec ike-group ike1 close-action 'none'
set vpn ipsec ike-group ike1 dead-peer-detection action 'restart'
set vpn ipsec ike-group ike1 dead-peer-detection interval '2'
set vpn ipsec ike-group ike1 dead-peer-detection timeout '15'
set vpn ipsec ike-group ike1 ikev2-reauth 'no'
set vpn ipsec ike-group ike1 key-exchange 'ikev1'
set vpn ipsec ike-group ike1 lifetime '27000'
set vpn ipsec ike-group ike1 proposal 1 dh-group '2'
set vpn ipsec ike-group ike1 proposal 1 encryption 'aes128'
set vpn ipsec ike-group ike1 proposal 1 hash 'sha1'
set vpn ipsec interface 'eth2'
set vpn ipsec site-to-site peer 11.10.0.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 11.10.0.1 authentication pre-shared-secret 'secret'
set vpn ipsec site-to-site peer 11.10.0.1 connection-type 'initiate'
set vpn ipsec site-to-site peer 11.10.0.1 ike-group 'ike1'
set vpn ipsec site-to-site peer 11.10.0.1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 11.10.0.1 local-address '11.10.0.2'
set vpn ipsec site-to-site peer 11.10.0.1 vti bind 'vti0'
set vpn ipsec site-to-site peer 11.10.0.1 vti esp-group 'esp1'


set interfaces vti vti0 address '192.168.0.2/30'
set nat source rule 10 outbound-interface 'vti0'
set nat source rule 10 source address '10.2.0.0/24'
set nat source rule 10 translation address 'masquerade'
set protocols static route 172.16.0.0/24 interface vti0

Site B

set vpn ipsec esp-group esp1 compression 'disable'
set vpn ipsec esp-group esp1 lifetime '27000'
set vpn ipsec esp-group esp1 mode 'tunnel'
set vpn ipsec esp-group esp1 pfs 'disable'
set vpn ipsec esp-group esp1 proposal 1 encryption 'aes128'
set vpn ipsec esp-group esp1 proposal 1 hash 'sha1'
set vpn ipsec ike-group ike1 close-action 'none'
set vpn ipsec ike-group ike1 dead-peer-detection action 'restart'
set vpn ipsec ike-group ike1 dead-peer-detection interval '2'
set vpn ipsec ike-group ike1 dead-peer-detection timeout '15'
set vpn ipsec ike-group ike1 ikev2-reauth 'no'
set vpn ipsec ike-group ike1 key-exchange 'ikev1'
set vpn ipsec ike-group ike1 lifetime '27000'
set vpn ipsec ike-group ike1 proposal 1 dh-group '2'
set vpn ipsec ike-group ike1 proposal 1 encryption 'aes128'
set vpn ipsec ike-group ike1 proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer 10.10.0.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 11.10.0.2 authentication pre-shared-secret 'secret'
set vpn ipsec site-to-site peer 11.10.0.2 connection-type 'respond'
set vpn ipsec site-to-site peer 11.10.0.2 ike-group 'ike1'
set vpn ipsec site-to-site peer 11.10.0.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 11.10.0.2 local-address '11.10.0.1'
set vpn ipsec site-to-site peer 11.10.0.2 vti bind 'vti0'
set vpn ipsec site-to-site peer 11.10.0.2 vti esp-group 'esp1'
set interfaces vti vti0 address '192.168.0.1/30'

Site A Lan device:

vyos@vyos:~$ ping 172.16.0.1
PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.
64 bytes from 172.16.0.1: icmp_seq=1 ttl=63 time=3.36 ms
64 bytes from 172.16.0.1: icmp_seq=2 ttl=63 time=3.22 ms
64 bytes from 172.16.0.1: icmp_seq=3 ttl=63 time=2.99 ms
64 bytes from 172.16.0.1: icmp_seq=4 ttl=63 time=3.14 ms

packet capture at Site B:

    192.168.0.2 > 172.16.0.1: ICMP echo request, id 61501, seq 22, length 64
22:22:29.468302 IP (tos 0x0, ttl 64, id 18663, offset 0, flags [none], proto ICMP (1), length 84)
    172.16.0.1 > 192.168.0.2: ICMP echo reply, id 61501, seq 22, length 64
22:22:30.469774 IP (tos 0x0, ttl 63, id 39714, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.2 > 172.16.0.1: ICMP echo request, id 61501, seq 23, length 64
22:22:30.470003 IP (tos 0x0, ttl 64, id 19477, offset 0, flags [none], proto ICMP (1), length 84)
    172.16.0.1 > 192.168.0.2: ICMP echo reply, id 61501, seq 23, length 64

If this example does not help you, then please share more details, like packet trace,n/w diagram we will try to help you.

Hey, thanks for trying to help me. I’ve just booted up my lab again. Sorry about the delay.

So site B which is the non VYOS appliance that is initiating the traffic.
Config settings -
IKE
IKE Version: v2
Authentication: SHA2-256
Encryption: AES-256
Diffie-Hellman Group: 14
Rekey: 480 (mins)
Dead Peer Detection: 10 secs
Phase 1: Aggressive
IPSEC
Authentication: SHA2-256
Encryption: AES-256
IPsec Relay: Disable
Rekey: 120 (mins)
PFS Group: 14

Site B will just send all the traffic that is defined to VYOS. When the traffic lands at VYOS, it will just see it without NAT after the tunnel, so if LAN PC at Site B is 10.0.0.5/24, VYOS will see the traffic as 10.0.0.5 client machine. I need to be able to route that traffic out of the VYOS towards the internet and return it back to the VYOS and then back into the IPSEC VPN and back to the originator.

Basically, I am looking for a method whereby the VYOS will just return the traffic back into the IPSEC VPN without the use of VYI’s, static routes / dynamic routing. I just want to NAT it back where it come from.

Is it possible? Thanks for the help.

Is it possible instead to somehow define any local traffic that should be encrypted? I can possibly define the remote traffic. For example, lets say that site B is sending ANY traffic it gets to the VYOS. It could be 8.8.8.8/32 or 1.1.1.1/32 and anything else like even just the Sky Sports website - too many to define. How can I get around defining the local prefix. I tried 0.0.0.0/0 but the traffic dies. If I put a 8.8.8.8/32 then it works as expected.

set vpn ipsec site-to-site peer x.x.x.x tunnel 0 local prefix ‘x.x.x.x/y’
set vpn ipsec site-to-site peer x.x.x.x tunnel 0 remote prefix ‘172.16.2.0/24’

Cheers