Multiple IPsec Tunnels with GRE through same WAN interface with muliple public IPs


#1

Hi everyone,

Recently, we attempted to create a second IPsec tunnel by assigning secondary public ips on the same WAN interfaces between two vyos.

So for example, we have on local side (eth1 is the wan interface with 2 public ips)

set interfaces ethernet eth1 address x.x.x.a
set interfaces ethernet eth1 address x.x.x.c

definition for the 2 tunnels

set interfaces tunnel tun0 address ‘172.16.10.253/30’
set interfaces tunnel tun0 encapsulation ‘gre’
set interfaces tunnel tun0 local-ip x.x.x.a
set interfaces tunnel tun0 remote-ip x.x.x.b

set interfaces tunnel tun1 address ‘172.16.11.253/30’
set interfaces tunnel tun1 encapsulation ‘gre’
set interfaces tunnel tun1 local-ip x.x.x.c
set interfaces tunnel tun1 remote-ip x.x.x.d

esp and ike sa definitions

set vpn ipsec esp-group espgrp1 compression ‘disable’
set vpn ipsec esp-group espgrp1 lifetime ‘3600’
set vpn ipsec esp-group espgrp1 mode ‘tunnel’
set vpn ipsec esp-group espgrp1 pfs ‘enable’
set vpn ipsec esp-group espgrp1 proposal 1 encryption ‘aes128’
set vpn ipsec esp-group espgrp1 proposal 1 hash ‘sha1’

set vpn ipsec esp-group espgrp2 compression ‘disable’
set vpn ipsec esp-group espgrp2 lifetime ‘3600’
set vpn ipsec esp-group espgrp2 mode ‘tunnel’
set vpn ipsec esp-group espgrp2 pfs ‘enable’
set vpn ipsec esp-group espgrp2 proposal 1 encryption ‘aes128’
set vpn ipsec esp-group espgrp2 proposal 1 hash ‘sha1’

set vpn ipsec ike-group ikegrp1 dead-peer-detection action ‘restart’
set vpn ipsec ike-group ikegrp1 dead-peer-detection interval ‘30’
set vpn ipsec ike-group ikegrp1 dead-peer-detection timeout ‘30’
set vpn ipsec ike-group ikegrp1 ikev2-reauth ‘no’
set vpn ipsec ike-group ikegrp1 key-exchange ‘ikev1’
set vpn ipsec ike-group ikegrp1 lifetime ‘28800’
set vpn ipsec ike-group ikegrp1 proposal 1 dh-group ‘2’
set vpn ipsec ike-group ikegrp1 proposal 1 encryption ‘aes128’
set vpn ipsec ike-group ikegrp1 proposal 1 hash ‘sha1’

set vpn ipsec ike-group ikegrp2 dead-peer-detection action ‘restart’
set vpn ipsec ike-group ikegrp2 dead-peer-detection interval ‘30’
set vpn ipsec ike-group ikegrp2 dead-peer-detection timeout ‘30’
set vpn ipsec ike-group ikegrp2 ikev2-reauth ‘no’
set vpn ipsec ike-group ikegrp2 lifetime ‘28800’
set vpn ipsec ike-group ikegrp2 proposal 1 dh-group ‘2’
set vpn ipsec ike-group ikegrp2 proposal 1 encryption ‘aes128’
set vpn ipsec ike-group ikegrp2 proposal 1 hash ‘sha1’

######## assigning the wan interface as ipsec interface ###############

set vpn ipsec ipsec-interfaces interface ‘eth1’

############ creating the 2 tunnels #################

set vpn ipsec site-to-site peer x.x.x.b authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer x.x.x.b authentication pre-shared-secret ‘abracadabra’
set vpn ipsec site-to-site peer x.x.x.b connection-type ‘initiate’
set vpn ipsec site-to-site peer x.x.x.b default-esp-group ‘espgrp1’
set vpn ipsec site-to-site peer x.x.x.b ike-group ‘ikegrp1’
set vpn ipsec site-to-site peer x.x.x.b ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer x.x.x.b local-address ‘x.x.x.a’
set vpn ipsec site-to-site peer x.x.x.b tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer x.x.x.b tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer x.x.x.b tunnel 1 protocol ‘gre’

set vpn ipsec site-to-site peer x.x.x.d authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer x.x.x.d authentication pre-shared-secret ‘paperbag’
set vpn ipsec site-to-site peer x.x.x.d connection-type ‘initiate’
set vpn ipsec site-to-site peer x.x.x.d default-esp-group ‘espgrp2’
set vpn ipsec site-to-site peer x.x.x.d ike-group ‘ikegrp2’
set vpn ipsec site-to-site peer x.x.x.d ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer x.x.x.d local-address ‘x.x.x.c’
set vpn ipsec site-to-site peer x.x.x.d tunnel 2 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer x.x.x.d tunnel 2 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer x.x.x.d tunnel 2 protocol ‘gre’

On the remote side (eth2 is wan interface)

set interfaces ethernet eth2 address x.x.x.b
set interfaces ethernet eth2 address x.x.x.d

and similar config as local side with source and destination public addresses reversed for the tunnels.

When I run --> show vpn ipsec sa, basically only one tunnel shows as up

bob@vyos:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP


x.x.x.d x.x.x.c

Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
------  -----  -------------  -------  ----    -----  ------  ------  -----
2       down   n/a            n/a      n/a     no     0       n/a     all

Peer ID / IP Local ID / IP


x.x.x.b x.x.x.a

Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
------  -----  -------------  -------  ----    -----  ------  ------  -----
1       up     769.0M/40.4G   aes128   sha1_96/modp_1024 no     1860    3600    gre

So, I am wondering if it is even possible to run two ipsec vpn tunnels through same wan interfaces with multiple ips. What we are trying to do since ipsec vpn is single threaded process is to try and leverage the multiple threads/cpus on the hardware the vyos is installed on and to segregate traffic from different subnets through the different tunnels.

Alternatively I can install a second pair of vyos to create the second tunnel but wondering if it’s possible to handle two tunnels in this setup on 1 pair of vyos machines.

If anyone has any experience or insight, it would be greatly appreciated.

thx in advance


#3

It should be possible. What’s in the logs? Also, which VyOS version?


#4

The vpn debug logs just shows the following and nothing else. I am running vyos system image 1.2.0-rolling+201805300337 on local side and remote side I am running 1.2.0-rolling+201806010337. Not sure why there is a difference in versions as they should be the same but that can be easily corrected.

peer-x.x.x.d-tunnel-2: x.x.x.c…x.x.x.d IKEv1, dpddelay=30s
peer-x.x.x.d-tunnel-2: local: [x.x.x.c] uses pre-shared key authentication
peer-x.x.x.d-tunnel-2: remote: [x.x.x.d] uses pre-shared key authentication
peer-x.x.x.d-tunnel-2: child: dynamic[gre] === dynamic[gre] TUNNEL, dpdaction=restart
Security Associations (1 up, 1 connecting):
peer-x.x.x.d-tunnel-2[8]: CONNECTING, x.x.x.c[%any]…x.x.x.d[%any]
peer-x.x.x.d-tunnel-2[8]: IKEv1 SPIs: 7de95020a5375f34_i* 0000000000000000_r
peer-x.x.x.d-tunnel-2[8]: Tasks queued: QUICK_MODE


#5

Just want to update. My configuration did work finally. The issue was that one of the public ip I was using for second tunnel was originally used on a test vm for speed testing. Shutting down that vm basically freed up the ip conflict.


#6

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.