One side of site-to-site ipsec goes down


#1

Hello,

I have an ipsec VPN tunnel up between my home LAN and my Amazon AWS VPC.

Here’s the overall setup. Home LAN is on left, AWS VPC is on the right. I’ve got public, static IPs on the home LAN, which technically bypasses the double NAT; the second layer router has a public IP that is ‘passed through’ the Comcast cable modem with 5x static IPs assigned to it.

[attachment=78]

I have put in static routes on the gateways for both left and right networks to point to the VyOS VPN tunnel endpoints (192.168.1.5, 10.50.0.5) for the gateway for VPN traffic.

Everything works well, except from time to time, the tunnel seems to break down one way only. Doing a “show vpn ipsec sa” shows tunnels as up on both ends. However, if I ping from AWS VPC to Home LAN, the traffic never makes it through the tunnel. The VPC VyOS endpoint shows traffic counters going up for traffic leaving the tunnel, but nothing ever makes it “in” to the Home LAN VPN tunnel. Traffic counter won’t increment, but it still shows as “up”. Pinging the remote VPN endpoint IP address from either the local VPN endpoint or another server on the network yields the same result.

However, as soon as I ping the other way, from LAN into the AWS VPC, both pings from both directions make it through just fine. Within a few minutes, though, the same scenario happens; AWS VPC to LAN won’t go through.

To explain further:

First:
Ping from 10.50.0.63 to 192.168.1.201 does not work
Ping from 10.50.0.5 to 192.168.1.5 does not work

Second:
Ping from 192.168.1.31 to 10.50.0.63 does work
and now:
Ping from 10.50.0.63 to 192.168.1.201 does work
Ping from 10.50.0.5 to 192.168.1.5 does work

I have set dead peer detection on both endpoints:

vyos@vyos# show vpn ipsec ike-group IKE-1W dead-peer-detection action restart interval 30 timeout 30

Any idea what is going on?

(IP addresses above are modified)

EDIT: Fixed. See below.


#2

Fixed. Just in case anybody stumbles across this via Google in the future, ensure you enable NAT-traversal on both endpoints, if you have a similar setup as this. Thought both were enabled, but only one was.


#3

Hi,

Do you have a working config that i can use to setup similar environment? Or if you can provide a guidance document on this as I am preparing to setup VPC and Home LAB sync for application migration POC.

Many Thanks,
J


#4

Hello J,

We have this automated through our solution (its on free trial) where you can connect your VyOS from home, branch, Datacenters to clouds (AWS, Azure etc.)…www.wanclouds.net

  1. You can add your VyOS routers behind NAT/PAT using our agent (take a few seconds to download and install that on any light-weight linux VM). If VyOS routers have public IPs then no agent is needed you can directly add it on our controller.

  2. Add your AWS/Azure API/Credentials and we’ll automatically fetch your VyOS or Vyatta or CSR or ASAv etc. devices…you can also add them directly thru the “add gateway” function

  3. start building your tunnels with VyOS (we have tested and support P2P or P2-Multipoint IPSec, VTI tunnels).

Please let us know if any questions.

www.wanclouds.net