Issues with VPN Remote access

tuanama00 · October 21, 2024, 12:24am

Hi,

I get this error after configuring remote access ike2

this is my template:

set vpn ipsec esp-group ESP-RA lifetime '3600'
set vpn ipsec esp-group ESP-RA pfs 'disable'
set vpn ipsec esp-group ESP-RA proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP-RA proposal 10 hash 'sha256'
set vpn ipsec ike-group IKE-RA key-exchange 'ikev2'
set vpn ipsec ike-group IKE-RA lifetime '7200'
set vpn ipsec ike-group IKE-RA proposal 10 dh-group '19'
set vpn ipsec ike-group IKE-RA proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKE-RA proposal 10 hash 'sha256'
set vpn ipsec remote-access pool ra-ipv4 prefix '17x.10.2x.x/24'
set vpn ipsec remote-access connection ra authentication local-id 'xxxxxxx'
set vpn ipsec remote-access connection ra authentication server-mode 'x509'
set vpn ipsec remote-access connection ra authentication x509 ca-certificate 'ca_root'
set vpn ipsec remote-access connection ra authentication x509 certificate 'server_cert'
set vpn ipsec remote-access connection ra esp-group 'ESP-RA'
set vpn ipsec remote-access connection ra ike-group 'IKE-RA'
set vpn ipsec remote-access connection ra local-address 'x.x.x.x'
set vpn ipsec remote-access connection ra pool 'ra-ipv4'
set vpn ipsec remote-access connection ra authentication client-mode 'eap-mschapv2'
set vpn ipsec remote-access connection ra authentication local-users username xxxx password 'xxxxx'

Oct 20 19:21:28 VyOS-Main charon: 08[NET] <4746> received packet: from 191.156.239.183[59520] to 190.25.74.132[500] (370 bytes)
Oct 20 19:21:28 VyOS-Main charon: 08[ENC] <4746> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Oct 20 19:21:28 VyOS-Main charon-systemd[4969]: received packet: from 191.156.239.183[59520] to 190.25.74.132[500] (370 bytes)
Oct 20 19:21:28 VyOS-Main charon: 08[IKE] <4746> 191.156.239.183 is initiating an IKE_SA
Oct 20 19:21:28 VyOS-Main charon-systemd[4969]: parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Oct 20 19:21:28 VyOS-Main charon: 08[CFG] <4746> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
Oct 20 19:21:28 VyOS-Main charon-systemd[4969]: 191.156.239.183 is initiating an IKE_SA
Oct 20 19:21:28 VyOS-Main charon: 08[IKE] <4746> remote host is behind NAT

How enable NAT-T?

tjh · October 21, 2024, 12:42am

I have updated your post to fix the formatting.

Try reading this post see if it helps.

tuanama00 · October 21, 2024, 12:58am

Hi tjh,

Since this option isn’t available over remote access, how does a change need to be made to only accept certificates?

I delete these lines

set vpn ipsec remote-access connection ra authentication client-mode ‘eap-mschapv2’
set vpn ipsec remote-access connection ra authentication local-users username xxxx password ‘xxxxx’

is this enough ? or do I need to make some additional changes?

Thanks

tjh · October 21, 2024, 1:44am

Ahhh right you are, my apologies I didn’t realise this.

I’m not sure of the answer to your question I’m sorry, so I’ll go away now. Sorry for being unhelpful.

tuanama00 · October 21, 2024, 6:53pm

Hi,

VPN is working, please let me know if can config only validate certificate, I don’t want use username and password.

Thanks

16again · October 27, 2024, 4:28pm

When using a radius server, VyOS probably is unaware of authentication type used, and you might be able to use authentication using certificates

system · November 10, 2024, 4:29pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.