Hi!
I am trying to migrate away from pfSense, so I have installed a VyOS 1.4.2 VM at a cloud provider to announce my IPv6 networks over BGP, from my home lab.
The home lab is running a Palo Alto Networks firewall, so have to use IPsec from the PAN to the VyOS to announce my prefixes.
This worked as expected in pfSense, but in VyOS, even though both phases are up, I can just get through a few pings before traffic drops:
admin@ip6:~$ ping 2001:67c:339a:ff::2 source-address 2001:67c:339a:ff::1
PING 2001:67c:339a:ff::2(2001:67c:339a:ff::2) from 2001:67c:339a:ff::1 : 56 data bytes
From 2001:67c:339a:ff::1 icmp_seq=1 Destination unreachable: Address unreachable
From 2001:67c:339a:ff::1 icmp_seq=2 Destination unreachable: Address unreachable
From 2001:67c:339a:ff::1 icmp_seq=3 Destination unreachable: Address unreachable
From 2001:67c:339a:ff::1 icmp_seq=61 Destination unreachable: Address unreachable
From 2001:67c:339a:ff::1 icmp_seq=62 Destination unreachable: Address unreachable
64 bytes from 2001:67c:339a:ff::2: icmp_seq=63 ttl=63 time=15.5 ms
64 bytes from 2001:67c:339a:ff::2: icmp_seq=64 ttl=63 time=15.9 ms
64 bytes from 2001:67c:339a:ff::2: icmp_seq=88 ttl=63 time=16.5 ms
64 bytes from 2001:67c:339a:ff::2: icmp_seq=89 ttl=63 time=15.0 ms
64 bytes from 2001:67c:339a:ff::2: icmp_seq=90 ttl=63 time=14.8 ms
I got traffic flowing again when I manually initiated from the PAN device, but it quickly stops again.
Relevant config:
set interfaces vti vti0 address '2001:67c:339a:ff::1/126'
set interfaces vti vti0 mtu '1280'
set vpn ipsec authentication psk ike-example-com id 'ike.example2.com'
set vpn ipsec authentication psk ike-example-com id 'ike.example.com'
set vpn ipsec authentication psk ike-example-com secret 'longstringhere'
set vpn ipsec esp-group modern-crypto lifetime '3600'
set vpn ipsec esp-group modern-crypto mode 'tunnel'
set vpn ipsec esp-group modern-crypto pfs 'dh-group1'
set vpn ipsec esp-group modern-crypto proposal 1 encryption 'aes128'
set vpn ipsec esp-group modern-crypto proposal 1 hash 'sha1'
set vpn ipsec ike-group modern-crypto ikev2-reauth
set vpn ipsec ike-group modern-crypto key-exchange 'ikev2'
set vpn ipsec ike-group modern-crypto lifetime '28800'
set vpn ipsec ike-group modern-crypto proposal 1 dh-group '1'
set vpn ipsec ike-group modern-crypto proposal 1 encryption 'aes128'
set vpn ipsec ike-group modern-crypto proposal 1 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec options disable-route-autoinstall
set vpn ipsec site-to-site peer ike-example-com authentication local-id 'ike.example2.com'
set vpn ipsec site-to-site peer ike-example-com authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer ike-example-com authentication remote-id 'ike.example.com'
set vpn ipsec site-to-site peer ike-example-com connection-type 'initiate'
set vpn ipsec site-to-site peer ike-example-com ike-group 'modern-crypto'
set vpn ipsec site-to-site peer ike-example-com ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer ike-example-com local-address '185.125.172.170'
set vpn ipsec site-to-site peer ike-example-com remote-address 'ike.example.com'
set vpn ipsec site-to-site peer ike-example-com vti bind 'vti0'
set vpn ipsec site-to-site peer ike-example-com vti esp-group 'modern-crypto'
Anyone have any tips for this issue?
