Hi,
I am trying to set up an IPsec VPN connection between two sites where each VPN router is behind NAT. The VPN connection was working when I used two Edgerouters but I want to move one site to VyOS router and get rid of the Edgerouter.
When I check the logs I can see that there is an issue during the authentication - the Edgerouter can not validate the identity of the VyoS router.
I followed the instructions in the documentation - copying the public RSA key to each peer. Maybe it is related to the different strongSwan versions used in each router’s firmware (Edgerouter: strongSwan swanctl 5.6.3 / VyOS: strongSwan swanctl 5.9.8).
SITE-A (VyOS router behind NAT)
- configuration
set vpn ipsec esp-group IPSEC-ESP-DEFAULT lifetime '7200'
set vpn ipsec esp-group IPSEC-ESP-DEFAULT mode 'tunnel'
set vpn ipsec esp-group IPSEC-ESP-DEFAULT pfs 'enable'
set vpn ipsec esp-group IPSEC-ESP-DEFAULT proposal 1 encryption 'aes128'
set vpn ipsec esp-group IPSEC-ESP-DEFAULT proposal 1 hash 'sha1'
set vpn ipsec ike-group IPSEC-IKE-DEFAULT dead-peer-detection action 'restart'
set vpn ipsec ike-group IPSEC-IKE-DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IPSEC-IKE-DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IPSEC-IKE-DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IPSEC-IKE-DEFAULT lifetime '14400'
set vpn ipsec ike-group IPSEC-IKE-DEFAULT proposal 1 dh-group '14'
set vpn ipsec ike-group IPSEC-IKE-DEFAULT proposal 1 encryption 'aes128'
set vpn ipsec ike-group IPSEC-IKE-DEFAULT proposal 1 hash 'sha1'
set vpn ipsec interface 'eth0.1204'
set vpn ipsec options disable-route-autoinstall
set vpn ipsec options interface 'eth0.1204'
set vpn ipsec site-to-site peer vpn-hn-wl-01 authentication local-id '@vpn-hn-hh-01-01'
set vpn ipsec site-to-site peer vpn-hn-wl-01 authentication mode 'rsa'
set vpn ipsec site-to-site peer vpn-hn-wl-01 authentication remote-id '@rt-hn-wl-02'
set vpn ipsec site-to-site peer vpn-hn-wl-01 authentication rsa local-key 'IPSEC-VPN-HN-HH-01-01'
set vpn ipsec site-to-site peer vpn-hn-wl-01 authentication rsa remote-key 'IPSEC-RT-HN-WL-02'
set vpn ipsec site-to-site peer vpn-hn-wl-01 connection-type 'initiate'
set vpn ipsec site-to-site peer vpn-hn-wl-01 default-esp-group 'IPSEC-ESP-DEFAULT'
set vpn ipsec site-to-site peer vpn-hn-wl-01 description 'VPN IPsec Peer RT-HN-WL-02'
set vpn ipsec site-to-site peer vpn-hn-wl-01 ike-group 'IPSEC-IKE-DEFAULT'
set vpn ipsec site-to-site peer vpn-hn-wl-01 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer vpn-hn-wl-01 local-address 'any'
set vpn ipsec site-to-site peer vpn-hn-wl-01 remote-address '<FQDN-SITE-B>'
set vpn ipsec site-to-site peer vpn-hn-wl-01 tunnel 1 local prefix '10.255.255.123/32'
set vpn ipsec site-to-site peer vpn-hn-wl-01 tunnel 1 remote prefix '10.255.255.151/32'
- swanctl --list-conns
vpn-hn-wl-01: IKEv2, no reauthentication, rekeying every 14400s, dpd delay 30s
local: %any
remote: <FQDN-SITE-B>
local public key authentication:
id: vpn-hn-hh-01-01
certs: vpn-hn-hh-01-01
remote public key authentication:
id: rt-hn-wl-02
certs: rt-hn-wl-02
vpn-hn-wl-01-tunnel-1: TUNNEL, rekeying every 6545s, dpd action is start
local: 10.255.255.123/32
remote: 10.255.255.151/32
- swanctl --initiate --ike vpn-hn-wl-01
[IKE] initiating IKE_SA vpn-hn-wl-01[9] to <PUBLIC-IP-SITE-B>
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 10.12.4.241[500] to <PUBLIC-IP-SITE-B>[500] (464 bytes)
[NET] received packet: from <PUBLIC-IP-SITE-B>[500] to 10.12.4.241[500] (464 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
[IKE] local host is behind NAT, sending keep alives
[IKE] remote host is behind NAT
[IKE] authentication of 'vpn-hn-hh-01-01' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 10.12.4.241[4500] to <PUBLIC-IP-SITE-B>[4500] (444 bytes)
[NET] received packet: from <PUBLIC-IP-SITE-B>[4500] to 10.12.4.241[4500] (76 bytes)
[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
[IKE] received AUTHENTICATION_FAILED notify error
initiate failed: establishing IKE_SA 'vpn-hn-wl-01' failed
SITE-B (Edgerouter behind NAT)
- configuration
set vpn ipsec auto-firewall-nat-exclude disable
set vpn ipsec esp-group IPSEC-ESP-DEFAULT compression disable
set vpn ipsec esp-group IPSEC-ESP-DEFAULT lifetime 7200
set vpn ipsec esp-group IPSEC-ESP-DEFAULT mode tunnel
set vpn ipsec esp-group IPSEC-ESP-DEFAULT pfs enable
set vpn ipsec esp-group IPSEC-ESP-DEFAULT proposal 1 encryption aes128
set vpn ipsec esp-group IPSEC-ESP-DEFAULT proposal 1 hash sha1
set vpn ipsec ike-group IPSEC-IKE-DEFAULT dead-peer-detection action restart
set vpn ipsec ike-group IPSEC-IKE-DEFAULT dead-peer-detection interval 30
set vpn ipsec ike-group IPSEC-IKE-DEFAULT dead-peer-detection timeout 120
set vpn ipsec ike-group IPSEC-IKE-DEFAULT ikev2-reauth no
set vpn ipsec ike-group IPSEC-IKE-DEFAULT key-exchange ikev2
set vpn ipsec ike-group IPSEC-IKE-DEFAULT lifetime 14400
set vpn ipsec ike-group IPSEC-IKE-DEFAULT proposal 1 dh-group 14
set vpn ipsec ike-group IPSEC-IKE-DEFAULT proposal 1 encryption aes128
set vpn ipsec ike-group IPSEC-IKE-DEFAULT proposal 1 hash sha1
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-traversal enable
set vpn ipsec site-to-site peer <FQDN-SITE-A> authentication id @rt-hn-wl-02
set vpn ipsec site-to-site peer <FQDN-SITE-A> authentication mode rsa
set vpn ipsec site-to-site peer <FQDN-SITE-A> authentication remote-id @vpn-hn-hh-01-01
set vpn ipsec site-to-site peer <FQDN-SITE-A> authentication rsa-key-name IPSEC-VPN-HN-HH-01-01
set vpn ipsec site-to-site peer <FQDN-SITE-A> connection-type respond
set vpn ipsec site-to-site peer <FQDN-SITE-A> default-esp-group IPSEC-ESP-DEFAULT
set vpn ipsec site-to-site peer <FQDN-SITE-A> description 'VPN IPsec Peer VPN-HN-HH-01-01'
set vpn ipsec site-to-site peer <FQDN-SITE-A> ike-group IPSEC-IKE-DEFAULT
set vpn ipsec site-to-site peer <FQDN-SITE-A> ikev2-reauth inherit
set vpn ipsec site-to-site peer <FQDN-SITE-A> local-address any
set vpn ipsec site-to-site peer <FQDN-SITE-A> tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer <FQDN-SITE-A> tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer <FQDN-SITE-A> tunnel 1 local prefix 10.255.255.151/32
set vpn ipsec site-to-site peer <FQDN-SITE-A> tunnel 1 remote prefix 10.255.255.123/32
- swanctl --list-conns
peer-<FQDN-SITE-A>-tunnel-1: , no reauthentication, no rekeying
local: %any
remote: <FQDN-SITE-A>
local public key authentication:
id: rt-hn-wl-02
certs: rt-hn-wl-02
remote public key authentication:
id: vpn-hn-hh-01-01
certs: vpn-hn-hh-01-01
peer-<FQDN-SITE-A>-tunnel-1: TUNNEL, rekeying every 6660s
local: 10.255.255.151/32
remote: 10.255.255.123/32
- swanctl --log
09[NET] received packet: from <PUBLIC-IP-SITE-A>[62852] to 172.16.150.253[500] (464 bytes)
09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
09[IKE] <PUBLIC-IP-SITE-A> is initiating an IKE_SA
09[IKE] local host is behind NAT, sending keep alives
09[IKE] remote host is behind NAT
09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
09[NET] sending packet: from 172.16.150.253[500] to <PUBLIC-IP-SITE-A>[62852] (464 bytes)
08[NET] received packet: from <PUBLIC-IP-SITE-A>[62853] to 172.16.150.253[4500] (444 bytes)
08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
08[CFG] looking for peer configs matching 172.16.150.253[rt-hn-wl-02]...<PUBLIC-IP-SITE-A>[vpn-hn-hh-01-01]
08[CFG] selected peer config 'peer-<FQDN-SITE-A>-tunnel-1'
08[CFG] using trusted certificate "vpn-hn-hh-01-01"
08[IKE] signature validation failed, looking for another key
08[IKE] peer supports MOBIKE
08[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
08[NET] sending packet: from 172.16.150.253[4500] to <PUBLIC-IP-SITE-A>[62853] (76 bytes)
Any help or idea is appreciated.
Thanks,
Lars