We are connecting two Vyos 1.1.7 installs to create an ipsec VPN tunnel with multiple networks (tunnels) using IKEv1, everything works perfectly:
vyatta@dbvyos201:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP
------------ -------------
172.17.5.111 172.17.5.110
Description: DBVYOS202-VPN Tunnel
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
1 up 0.0/0.0 aes256 sha1_96 no 3000 3600 all
2 up 0.0/0.0 aes256 sha1_96 no 2520 3600 all
vyatta@dbvyos201:/var/log$ sudo ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 172.17.5.110:4500
000 interface eth0/eth0 172.17.5.110:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
000 "peer-172.17.5.111-tunnel-1": 192.168.0.0/16===172.17.5.110[172.17.5.110]...172.17.5.111[172.17.5.111]===192.168.1.1/32; unrouted; eroute owner: #0
000 "peer-172.17.5.111-tunnel-1": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "peer-172.17.5.111-tunnel-1": policy: PSK+ENCRYPT+TUNNEL+UP; prio: 16,32; interface: eth0;
000 "peer-172.17.5.111-tunnel-1": newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "peer-172.17.5.111-tunnel-1": IKE proposal: AES_CBC_256/HMAC_SHA1/MODP_1024
000 "peer-172.17.5.111-tunnel-2": 10.55.0.0/16===172.17.5.110[172.17.5.110]...172.17.5.111[172.17.5.111]===192.168.1.1/32; unrouted; eroute owner: #0
000 "peer-172.17.5.111-tunnel-2": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "peer-172.17.5.111-tunnel-2": policy: PSK+ENCRYPT+TUNNEL+UP; prio: 16,32; interface: eth0;
000 "peer-172.17.5.111-tunnel-2": newest ISAKMP SA: #4; newest IPsec SA: #0;
000 "peer-172.17.5.111-tunnel-2": IKE proposal: AES_CBC_256/HMAC_SHA1/MODP_1024
When changing the key-exchange to ikev2 and only having a single tunnel, everything still works correctly:
vyatta@dbvyos201:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP
------------ -------------
172.17.5.111 172.17.5.110
Description: DBVYOS202-VPN Tunnel
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
1 up 0.0/0.0 aes256 sha1_96 no 960 3600 all
vyatta@dbvyos201:~$ sudo ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 172.17.5.110:4500
000 interface eth0/eth0 172.17.5.110:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
Status of IKEv2 charon daemon (strongSwan 4.5.2):
uptime: 67 seconds, since Jan 20 12:00:11 2017
malloc: sbrk 253952, mmap 0, used 136408, free 117544
worker threads: 7 idle of 16, job queue load: 0, scheduled events: 4
loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
Listening IP addresses:
172.17.5.110
Connections:
peer-172.17.5.111-tunnel-1: 172.17.5.110...172.17.5.111
peer-172.17.5.111-tunnel-1: local: [172.17.5.110] uses pre-shared key authentication
peer-172.17.5.111-tunnel-1: remote: [172.17.5.111] uses any authentication
peer-172.17.5.111-tunnel-1: child: 192.168.5.5/32 === 192.168.1.1/32
Routed Connections:
peer-172.17.5.111-tunnel-1{1}: ROUTED, TUNNEL
peer-172.17.5.111-tunnel-1{1}: 192.168.5.5/32 === 192.168.1.1/32
Security Associations:
peer-172.17.5.111-tunnel-1[2]: ESTABLISHED 65 seconds ago, 172.17.5.110[172.17.5.110]...172.17.5.111[172.17.5.111]
peer-172.17.5.111-tunnel-1[2]: IKE SPIs: 82b23ee9b11f31fb_i f100b239ec30a37c_r*, rekeying in 2 hours
peer-172.17.5.111-tunnel-1[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
peer-172.17.5.111-tunnel-1{3}: INSTALLED, TUNNEL, ESP SPIs: c5475c02_i cc41c561_o
peer-172.17.5.111-tunnel-1{3}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 44 minutes
peer-172.17.5.111-tunnel-1{3}: 192.168.5.5/32 === 192.168.1.1/32
The problem occurs when adding a second connection/tunnel, there are no security associations for the newly created tunnel. Resetting the connection on both sides has no effect, the second tunnel will not come “up”
vyatta@dbvyos201:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP
------------ -------------
n/a n/a
Description: DBVYOS202-VPN Tunnel
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
2 down n/a n/a n/a no 0 n/a all
Peer ID / IP Local ID / IP
------------ -------------
172.17.5.111 172.17.5.110
Description: DBVYOS202-VPN Tunnel
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
1 up 0.0/0.0 aes256 sha1_96 no 2220 3600 all
vyatta@dbvyos201:~$ sudo ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 172.17.5.110:4500
000 interface eth0/eth0 172.17.5.110:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
Status of IKEv2 charon daemon (strongSwan 4.5.2):
uptime: 63 minutes, since Jan 20 12:00:12 2017
malloc: sbrk 253952, mmap 0, used 139656, free 114296
worker threads: 7 idle of 16, job queue load: 0, scheduled events: 4
loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
Listening IP addresses:
172.17.5.110
Connections:
peer-172.17.5.111-tunnel-1: 172.17.5.110...172.17.5.111
peer-172.17.5.111-tunnel-1: local: [172.17.5.110] uses pre-shared key authentication
peer-172.17.5.111-tunnel-1: remote: [172.17.5.111] uses any authentication
peer-172.17.5.111-tunnel-1: child: 192.168.5.5/32 === 192.168.1.1/32
peer-172.17.5.111-tunnel-2: child: 192.168.6.6/32 === 192.168.2.2/32
Routed Connections:
peer-172.17.5.111-tunnel-1{1}: ROUTED, TUNNEL
peer-172.17.5.111-tunnel-1{1}: 192.168.5.5/32 === 192.168.1.1/32
peer-172.17.5.111-tunnel-2{4}: ROUTED, TUNNEL
peer-172.17.5.111-tunnel-2{4}: 192.168.6.6/32 === 192.168.2.2/32
Security Associations:
peer-172.17.5.111-tunnel-1[2]: ESTABLISHED 63 minutes ago, 172.17.5.110[172.17.5.110]...172.17.5.111[172.17.5.111]
peer-172.17.5.111-tunnel-1[2]: IKE SPIs: 82b23ee9b11f31fb_i f100b239ec30a37c_r*, rekeying in 106 minutes
peer-172.17.5.111-tunnel-1[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
peer-172.17.5.111-tunnel-1{3}: INSTALLED, TUNNEL, ESP SPIs: c0555b56_i cec9c529_o
peer-172.17.5.111-tunnel-1{3}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 23 minutes
peer-172.17.5.111-tunnel-1{3}: 192.168.5.5/32 === 192.168.1.1/32
We have seen this behavior when connecting two vyos sytems as well as connecting to Azure. We are not able to send traffic across the second tunnel, but traffic does flow on the first tunnel.
Is this the expected behavior for IKEv2? Has anyone been able to get Vyos to connect ipsec VPN with IKEv2? Ive attached the config for multiple tunnels and IKEv2.