Ipsec vpn don't work

Niko · December 12, 2020, 9:17am

I have made the same ipsec vpn for many times,but sometimes it works sometimes it doesn’t.
I dont know how to figure it out.

below is my config
the left router
eth
set vpn ipsec esp-group ESP-FNET-01 compression ‘disable’
set vpn ipsec esp-group ESP-FNET-01 lifetime ‘3600’
set vpn ipsec esp-group ESP-FNET-01 mode ‘tunnel’
set vpn ipsec esp-group ESP-FNET-01 pfs ‘dh-group2’
set vpn ipsec esp-group ESP-FNET-01 proposal 1 encryption ‘3des’
set vpn ipsec esp-group ESP-FNET-01 proposal 1 hash ‘sha1’
set vpn ipsec ike-group IKE-FNET-01 ikev2-reauth ‘no’
set vpn ipsec ike-group IKE-FNET-01 key-exchange ‘ikev1’
set vpn ipsec ike-group IKE-FNET-01 lifetime ‘28800’
set vpn ipsec ike-group IKE-FNET-01 proposal 1 dh-group ‘2’
set vpn ipsec ike-group IKE-FNET-01 proposal 1 encryption ‘3des’
set vpn ipsec ike-group IKE-FNET-01 proposal 1 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘public-interface’
set vpn ipsec nat-networks allowed-network ‘0.0.0.0/0’
set vpn ipsec nat-traversal ‘enable’
set vpn ipsec site-to-site peer gg authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer gg authentication pre-shared-secret ‘both-win’
set vpn ipsec site-to-site peer gg authentication remote-id ‘0.0.0.0’
set vpn ipsec site-to-site peer gg connection-type ‘respond’
set vpn ipsec site-to-site peer gg default-esp-group ‘ESP-FNET-01’
set vpn ipsec site-to-site peer gg ike-group ‘IKE-FNET-01’
set vpn ipsec site-to-site peer gg ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer gg local-address ‘public’
set vpn ipsec site-to-site peer gg tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer gg tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer gg tunnel 1 local prefix ‘10.30.245.241/32’
set vpn ipsec site-to-site peer gg tunnel 1 remote prefix ‘10.30.245.1/32’

the right router
set vpn ipsec esp-group ESP-FNET-01 compression ‘disable’
set vpn ipsec esp-group ESP-FNET-01 lifetime ‘3600’
set vpn ipsec esp-group ESP-FNET-01 mode ‘tunnel’
set vpn ipsec esp-group ESP-FNET-01 pfs ‘dh-group2’
set vpn ipsec esp-group ESP-FNET-01 proposal 1 encryption ‘3des’
set vpn ipsec esp-group ESP-FNET-01 proposal 1 hash ‘sha1’
set vpn ipsec ike-group IKE-FNET-01 ikev2-reauth ‘no’
set vpn ipsec ike-group IKE-FNET-01 key-exchange ‘ikev1’
set vpn ipsec ike-group IKE-FNET-01 lifetime ‘28800’
set vpn ipsec ike-group IKE-FNET-01 proposal 1 encryption ‘3des’
set vpn ipsec ike-group IKE-FNET-01 proposal 1 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘eth2’ -->192.168.141.188
set vpn ipsec nat-networks allowed-network ‘0.0.0.0/0’
set vpn ipsec nat-traversal ‘enable’
set vpn ipsec site-to-site peer xx authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer xx authentication pre-shared-secret ‘both-win’
set vpn ipsec site-to-site peer xx authentication remote-id ‘left-router’s public ip’
set vpn ipsec site-to-site peer xx connection-type ‘respond’
set vpn ipsec site-to-site peer xx default-esp-group ‘ESP-FNET-01’
set vpn ipsec site-to-site peer xx ike-group ‘IKE-FNET-01’
set vpn ipsec site-to-site peer xx ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer xx local-address ‘192.168.141.188’
set vpn ipsec site-to-site peer xx tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer xx tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer xx tunnel 1 local prefix ‘10.30.245.1/32’
set vpn ipsec site-to-site peer xx tunnel 1 remote prefix ‘10.30.245.241/32’

192.168.141.188 will nat to a public

Im not good at english,thank you so much

Dmitry · December 12, 2020, 9:52am

Hello @Niko,

I guess you need to define the correct auth remote id on the left router, instead of 0.0.0.0, it can be not only IP address, e.g.
The left router

set vpn ipsec site-to-site peer gg authentication id 'LEFT'
set vpn ipsec site-to-site peer gg authentication remote-id 'RIGHT'

The right router

set vpn ipsec site-to-site peer xx authentication id 'RIGHT'
set vpn ipsec site-to-site peer xx authentication remote-id 'LEFT'

Execute command show log vpn ipsec to figure out what happens
Note: Also preferred to use IKEv2 if one of the peers behind a NAT

Niko · December 13, 2020, 6:08am

Thanks for your answer.
It must be a auth id and auth remote-id?
I have tried executing show log vpn ipsec

Furthermore,what commands should I input when using IKEv2？
Thank you a lot

Dmitry · December 13, 2020, 7:13am

Hello @Niko

Which VyOS version running? Try just show show log all

phillipmcmahon · December 13, 2020, 11:51am

@Dmitry

Would it be worth ensuring that every post has to submit version information plus other core information you would find valuable?

So many threads trickle along then the poster declares they are running some age-old obsolete version < 1.2.x

What versions are actually supported in this forum?

Dmitry · December 13, 2020, 1:39pm

Hello @phillipmcmahon,
LTS 1.2.x and 1.3-rolling are supported versions.
The preferred way to describe the version on the first message, that should provide the possibility to reproduce the issue.

phillipmcmahon · December 13, 2020, 3:31pm

I was suggesting making it more than a preference and a mandatory part of raising a topic on here.

mita · December 14, 2020, 3:36am

hi,

it looks like both peers have “connection-type ‘respond’”, and that makes both to wait for other to initiate the connection?