Hi Guys,
I am trying to setup VTI tunnel with CheckPoint and below is the diagram enclosed. I feel something is wrong on Vyos as I see tunnel is completely up from CP end even packets are getting encrypted and being forwarded through VTI interface but somehow I am not able to ping 192.168.60.128 or remote ID.
Here is my vyos configuration pertaining to VPN
set vpn ipsec esp-group cpesp lifetime ‘3600’
set vpn ipsec esp-group cpesp mode ‘tunnel’
set vpn ipsec esp-group cpesp pfs ‘disable’
set vpn ipsec esp-group cpesp proposal 1 encryption ‘aes256’
set vpn ipsec esp-group cpesp proposal 1 hash ‘sha1’
set vpn ipsec ike-group cpike key-exchange ‘ikev1’
set vpn ipsec ike-group cpike lifetime ‘86400’
set vpn ipsec ike-group cpike proposal 1 dh-group ‘2’
set vpn ipsec ike-group cpike proposal 1 encryption ‘aes256’
set vpn ipsec ike-group cpike proposal 1 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec logging log-modes ‘all’
set vpn ipsec site-to-site peer 172.16.3.30 authentication id ‘172.16.4.30’
set vpn ipsec site-to-site peer 172.16.3.30 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 172.16.3.30 authentication pre-shared-secret ‘1234567890’
set vpn ipsec site-to-site peer 172.16.3.30 authentication remote-id ‘172.16.3.30’
set vpn ipsec site-to-site peer 172.16.3.30 default-esp-group ‘cpesp’
set vpn ipsec site-to-site peer 172.16.3.30 ike-group ‘cpike’
set vpn ipsec site-to-site peer 172.16.3.30 local-address ‘172.16.4.30’
set vpn ipsec site-to-site peer 172.16.3.30 vti bind ‘vti20’
set vpn ipsec site-to-site peer 172.16.3.30 vti esp-group ‘cpesp’
set interfaces vti vti20 address ‘169.255.255.1/32’
set protocols static route 10.100.70.0/24 next-hop ‘169.255.255.2’
Here is the show output from vyos
vyos@VPNGW:~$ show vpn ike sa
Peer ID / IP Local ID / IP
172.16.3.30 172.16.4.30
State Encrypt Hash D-H Grp NAT-T A-Time L-Time
----- ------- ---- ------- ----- ------ ------
up aes256 sha1 2 no 2452 86400
vyos@VPNGW:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP
172.16.3.30 172.16.4.30
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
vti up 0.0/75.2K aes256 sha1 no 2220 3600 all
Here is the debug output
000 “peer-172.16.3.30-tunnel-vti”: 0.0.0.0/0===172.16.4.30[172.16.4.30]…172.16.3.30[172.16.3.30]===0.0.0.0/0; erouted; eroute owner: #2
000 “peer-172.16.3.30-tunnel-vti”: ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 “peer-172.16.3.30-tunnel-vti”: policy: PSK+ENCRYPT+TUNNEL+UP; prio: 0,0; interface: eth0;
000 “peer-172.16.3.30-tunnel-vti”: newest ISAKMP SA: #1; newest IPsec SA: #2;
000 “peer-172.16.3.30-tunnel-vti”: IKE proposal: AES_CBC_256/HMAC_SHA1/MODP_1024
000 “peer-172.16.3.30-tunnel-vti”: ESP proposal: AES_CBC_256/HMAC_SHA1/<N/A>
000 #2: “peer-172.16.3.30-tunnel-vti” STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1306s; newest IPSEC; eroute owner
000 #2: “peer-172.16.3.30-tunnel-vti” esp.62cd2ce8@172.16.3.30 (0 bytes) esp.cd551f05@172.16.4.30 (83244 bytes, 1s ago); tunnel
000 #1: “peer-172.16.3.30-tunnel-vti” STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 83865s; newest ISAKMP
#####################################
Sun Jul 31 17:57:02 UTC 2016
- _________________________ version
- ipsec --version
Linux strongSwan U4.5.2/K3.13.11-1-586-vyos
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See ‘ipsec --copyright’ for copyright information. - _________________________ /proc/net/pfkey
- test -r /proc/net/pfkey
- cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode - _________________________ ip-xfrm-state
- ip -s xfrm state
src 172.16.4.30 dst 172.16.3.30
proto esp spi 0x62cd2ce8(1657613544) reqid 16384(0x00004000) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
mark 9437185/0xffffffff
auth-trunc hmac(sha1) 0xf9323bf7bdace3ef8145306718211df1aa199d86 (160 bits) 96
enc cbc(aes) 0x05277315cfd27c17f3637d2743678d0ace3a435a0ae9ff3c2bfdf56c38461470 (256 bits)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2016-07-31 17:30:53 use -
stats:
replay-window 0 replay 0 failed 0
src 172.16.3.30 dst 172.16.4.30
proto esp spi 0xcd551f05(3444907781) reqid 16384(0x00004000) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
auth-trunc hmac(sha1) 0xd06e3fceb202366fa7a83ee5f2af7410f560328d (160 bits) 96
enc cbc(aes) 0x5ad58504a8a5173fbeef5b3e0cf07d1544490f1121209f23268a9eae9ab1d270 (256 bits)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
85512(bytes), 1018(packets)
#conn peer-172.16.3.30-tunnel-vti
#< /etc/dmvpn.conf 1
generated by /opt/vyatta/sbin/dmvpn-config.pl
#> /etc/ipsec.conf 56
- _________________________ ipsec/secrets
- /usr/lib/ipsec/_secretcensor
- /usr/lib/ipsec/_include /etc/ipsec.secrets
#< /etc/ipsec.secrets 1
generated by /opt/vyatta/sbin/vpn-config.pl
172.16.4.30 172.16.3.30 172.16.4.30 172.16.3.30 : PSK “[sums to 7c12…]”
#< /etc/dmvpn.secrets 1
generated by /opt/vyatta/sbin/dmvpn-config.pl
#> /etc/ipsec.secrets 6
- _________________________ ipsec/listall
- ipsec listall
000
000 List of registered IKEv1 Algorithms:
000
000 encryption: BLOWFISH_CBC[openssl] 3DES_CBC[des] AES_CBC[aes] CAMELLIA_CBC[openssl]
000 integrity: HMAC_MD5[md5] HMAC_SHA1[sha1] HMAC_SHA2_256[sha2] HMAC_SHA2_384[sha2] HMAC_SHA2_512[sha2]
000 dh-group: MODP_1024[openssl] MODP_1536[openssl] MODP_2048[openssl] MODP_3072[openssl] MODP_4096[openssl]
000 MODP_6144[openssl] MODP_8192[openssl] ECP_256[openssl] ECP_384[openssl] ECP_521[openssl]
000 MODP_1024_160[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl] ECP_192[openssl] ECP_224[openssl]
000 random-gen: RNG_STRONG[random] RNG_TRUE[random]
000
000 List of registered ESP Algorithms:
000
000 encryption: DES_CBC 3DES_CBC CAST_CBC BLOWFISH_CBC NULL AES_CBC AES_CTR AES_CCM_8 AES_CCM_12 AES_CCM_16 AES_GCM_8
000 AES_GCM_12 AES_GCM_16 CAMELLIA_CBC AES_GMAC SERPENT_CBC TWOFISH_CBC
000 integrity: HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 HMAC_SHA2_384 HMAC_SHA2_512 HMAC_RIPEMD AES_XCBC_96 NULL HMAC_SHA2_256_96
List of registered IKEv2 Algorithms:
encryption: AES_CBC[aes] 3DES_CBC[des] DES_CBC[des] DES_ECB[des] CAMELLIA_CBC[openssl] RC5_CBC[openssl]
IDEA_CBC[openssl] CAST_CBC[openssl] BLOWFISH_CBC[openssl] NULL[openssl] AES_CTR[ctr]
integrity: AES_XCBC_96[xcbc] HMAC_SHA1_96[hmac] HMAC_SHA1_128[hmac] HMAC_SHA1_160[hmac] HMAC_SHA2_256_128[hmac]
HMAC_SHA2_256_256[hmac] HMAC_MD5_96[hmac] HMAC_MD5_128[hmac] HMAC_SHA2_384_192[hmac]
HMAC_SHA2_384_384[hmac] HMAC_SHA2_512_256[hmac]
aead: AES_CCM_8[ccm] AES_CCM_12[ccm] AES_CCM_16[ccm] AES_GCM_8[gcm] AES_GCM_12[gcm] AES_GCM_16[gcm]
hasher: HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2] HASH_MD5[md5]
HASH_MD2[openssl] HASH_MD4[openssl]
prf: PRF_KEYED_SHA1[sha1] PRF_FIPS_SHA1_160[fips-prf] PRF_AES128_XCBC[xcbc] PRF_HMAC_SHA1[hmac]
PRF_HMAC_SHA2_256[hmac] PRF_HMAC_MD5[hmac] PRF_HMAC_SHA2_384[hmac] PRF_HMAC_SHA2_512[hmac]
dh-group: MODP_2048[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl] MODP_1536[openssl] ECP_256[openssl]
ECP_384[openssl] ECP_521[openssl] ECP_224[openssl] ECP_192[openssl] MODP_3072[openssl] MODP_4096[openssl]
MODP_6144[openssl] MODP_8192[openssl] MODP_1024[openssl] MODP_1024_160[openssl] MODP_768[openssl]
MODP_CUSTOM[openssl]
random-gen: RNG_STRONG[random] RNG_TRUE[random]
- ‘[’ ‘]’
- _________________________ /proc/net/ipsec_version
- test -r /proc/net/ipsec_version
- test -r /proc/net/pfkey
++ uname -r - echo 'NETKEY (3.13.11-1-586-vyos) support detected ’
NETKEY (3.13.11-1-586-vyos) support detected - _________________________ /proc/net/ipsec-ls
- test -f /proc/net/ipsec_version
- _________________________ plutolog
- case “$1” in
- cat
- egrep -i pluto
- sed -n ‘1492,$p’ /var/log/messages
Jul 31 17:30:53 VPNGW pluto[6794]: Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID CISCO_QUIRKS
Jul 31 17:30:53 VPNGW pluto[6794]: including NAT-Traversal patch (Version 0.6c) [disabled]
Jul 31 17:30:53 VPNGW pluto[6794]: failed to load pkcs11 module ‘/usr/lib/opensc-pkcs11.so’
Jul 31 17:30:53 VPNGW ipsec_starter[6709]: pluto (6794) started after 20 ms
Jul 31 17:30:53 VPNGW pluto[6794]: Changing to directory ‘/etc/ipsec.d/crls’
Jul 31 17:30:53 VPNGW pluto[6794]: listening for IKE messages
Jul 31 17:30:53 VPNGW pluto[6794]: adding interface eth1/eth1 192.168.60.60:500
Jul 31 17:30:53 VPNGW pluto[6794]: adding interface eth0/eth0 172.16.4.30:500
Jul 31 17:30:53 VPNGW pluto[6794]: adding interface lo/lo 127.0.0.1:500
Jul 31 17:30:53 VPNGW pluto[6794]: adding interface lo/lo ::1:500
Jul 31 17:30:53 VPNGW pluto[6794]: loading secrets from “/etc/ipsec.secrets”
Jul 31 17:30:53 VPNGW pluto[6794]: loaded PSK secret for 172.16.4.30 172.16.3.30 172.16.4.30 172.16.3.30
Jul 31 17:30:53 VPNGW pluto[6794]: loading secrets from “/etc/dmvpn.secrets”
Jul 31 17:30:53 VPNGW pluto[6794]: added connection description “peer-172.16.3.30-tunnel-vti”
Jul 31 17:30:53 VPNGW pluto[6794]: “peer-172.16.3.30-tunnel-vti” #1: initiating Main Mode
Jul 31 17:30:53 VPNGW pluto[6794]: “peer-172.16.3.30-tunnel-vti” #1: ignoring Vendor ID payload [FRAGMENTATION]
Jul 31 17:30:53 VPNGW pluto[6794]: “peer-172.16.3.30-tunnel-vti” #1: Peer ID is ID_IPV4_ADDR: ‘172.16.3.30’
Jul 31 17:30:53 VPNGW pluto[6794]: “peer-172.16.3.30-tunnel-vti” #1: ISAKMP SA established
Jul 31 17:30:53 VPNGW pluto[6794]: “peer-172.16.3.30-tunnel-vti” #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
Jul 31 17:30:53 VPNGW pluto[6794]: “peer-172.16.3.30-tunnel-vti” #2: sent QI2, IPsec SA established {ESP=>0x62cd2ce8 <0xcd551f05} - _________________________ charonlog
- case “$1” in
- cat
- egrep -i charon
- sed -n ‘1,$p’ /dev/null
- _________________________ date
- date
Sun Jul 31 17:57:02 UTC 2016
vyos@VPNGW:~$
What possibly could have gone wrong?
I am not able to ping 192.168.60.128 from 10.100.70.100
