Newbie - IPSec behind Firewall (both sides)


#1

Hi,

I am trying to setup a site to site IPSec tunnel, but on both sides VyOS is behind the Firewall on the local subnet.

Port forwards have been setup to route UDP 500 and UDP 4500 to the private IP’s of the relevant instances.

I then followed the site to site examples, but am not having much luck.

The error message in the log is always:

VPN-IPSEC: packet from 11.22.33.44:500: initial Main Mode message received on aa.bb.cc.dd:500 but no connection has been authorized with policy=PSK

Here is the current IPSec config I am using:

vpn {
ipsec {
esp-group ESP-G1 {
compression disable
lifetime 1800
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group IKE-G1 {
key-exchange ikev1
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal enable
site-to-site {
peer x.x.com {
authentication {
id @y.y.com
mode pre-shared-secret
pre-shared-secret ****************
remote-id @x.x.com
}
ike-group IKE-G1
local-address any
tunnel 0 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP-G1
local {
prefix 192.168.21.0/24
}
remote {
prefix 172.31.0.0/16
}
}
}
}
}
}

Any help would be much appreciated

Thanks


#2

Have you tried resetting peer from both side?
I seen similar issues. When I reset peer from both side, it start working.
That is, if we restart / reset one end, then VPN goes down and wont come up automatically. Then if we reset the peer on other side, it comes up successfully.


#3

Thanks this worked for me.

But I see it being an issue if I have multiple IPSec tunnels. I will have to re-look at my layout to see if I can setup a more reliable solution.


#4

It looks like the problem occurs when the VPN process is restarted or peer is reset on one end. If the peer IP is not reachable due to any interruptions in network, VPN goes down and it comes up automatic when the peer become reachable. As you said it is still an issue because the other side need to be reset when any reset or restart happened on one side. I am still searching for a fix for it. I also observed that it happens only when NAT-T is enabled between two Vyatta devices. If NAT-T is not enabled, i dont see this issue.


#5

Do you think this is particular to 2 Vyatta devices, or will it affect a Vyatta/other device as well?

I have managed to move one side so that it can have a public IP and not behind a firewall, but I still need NAT-T as the other can’t be moved out from behind the firewall - this problem still persists (due to NAT-T)


#6

I have not seen this issue when we use vyatta with other devices ( cisco )
When we used vyatta with other device, the NAT-T is enabled only in other device. It works fine without any issues.
I think you can try without NAT-T enabled. That is using “remote-id @x.x.com” in VPN config. I seen it works without NAT-T enabled. Also VPN comes up automatic if you reset or restart one side. But i did see another issue when we use this config ( without nat-t ) If tunnel is idle for some time and traffic is initiated from the network which is not behind firewall, it wont allow traffic. I still see the tunnels are up and “packets out” in source side. but at destination side, no packets are received in tunnels. But if you initiate traffic from the network which is behind firewall, the tunnels start workings and you can connect from other side as well once it started working. If your traffic is always initiated from the network which is not behind firewall, then this config works fine.


#7

I did see that we can make it work without NAT-T if we can DNAT “ESP” and “AH” protocol to the vyatta private IP.
That means, apart from port 500/udp and 4500/udp, if you able to DNAT “ESP” / “AH” protocol to he vyatta private IP, then it can work without enabling NAT-T
Also we will need to keep “remote-id @xyz.com” configuration.