I’m running Brocade vRouter 5600 which is based upon Vyatta.
I’ve got 2 gateways running in high availability, and they’ve run in a couple of years working fine.
I’m trying to setup a VPN/IPSec on one of my gateways, and have packets routed via the 4 tunnels created.
This is my configurations commands:
set security vpn ipsec esp-group MY-ESP compression 'disable'
set security vpn ipsec esp-group MY-ESP lifetime '3600'
set security vpn ipsec esp-group MY-ESP mode 'tunnel'
set security vpn ipsec esp-group MY-ESP pfs 'dh-group5'
set security vpn ipsec esp-group MY-ESP proposal 1 encryption 'aes256'
set security vpn ipsec esp-group MY-ESP proposal 1 hash 'sha1'
set security vpn ipsec ike-group MY-IKEV1 dead-peer-detection action 'restart'
set security vpn ipsec ike-group MY-IKEV1 dead-peer-detection interval '20'
set security vpn ipsec ike-group MY-IKEV1 dead-peer-detection timeout '90'
set security vpn ipsec ike-group MY-IKEV1 ike-version '1'
set security vpn ipsec ike-group MY-IKEV1 lifetime '86400'
set security vpn ipsec ike-group MY-IKEV1 proposal 1 dh-group '5'
set security vpn ipsec ike-group MY-IKEV1 proposal 1 encryption 'aes256'
set security vpn ipsec ike-group MY-IKEV1 proposal 1 hash 'sha1'
set security vpn ipsec site-to-site peer 70.21.22.99 authentication mode 'pre-shared-secret'
set security vpn ipsec site-to-site peer 70.21.22.99 authentication pre-shared-secret 'PSK'
set security vpn ipsec site-to-site peer 70.21.22.99 connection-type 'initiate'
set security vpn ipsec site-to-site peer 70.21.22.99 default-esp-group 'MY-ESP'
set security vpn ipsec site-to-site peer 70.21.22.99 description 'MY VPN GW1'
set security vpn ipsec site-to-site peer 70.21.22.99 ike-group 'MY-IKEV1'
set security vpn ipsec site-to-site peer 70.21.22.99 local-address '5.67.88.253'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 0 local prefix '201.199.10.11/32'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 0 remote prefix '70.99.100.11/32'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 1 local prefix '211.198.11.22/32'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 1 remote prefix '70.99.100.9032'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 2 local prefix '211.198.11.90/32'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 2 remote prefix '70.101.100.11/32'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 3 local prefix '201.199.11.66/32'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 3 remote prefix '5.100.90.21/32'
This result in the following with show vpn ipsec sa peer 70.21.22.99:
Peer ID / IP Local ID / IP
------------ -------------
70.21.22.99 5.67.88.253
Description: MY VPN GW1
Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time
------ ---------- ----- ------------- ------------ -------- -- ------ ------
0 7 up 0.0/0.0 aes256 sha1 5 93 3600
1 8 up 0.0/0.0 aes256 sha1 5 93 3600
2 9 up 0.0/0.0 aes256 sha1 5 93 3600
3 10 up 0.0/0.0 aes256 sha1 5 93 3600
But when I ex. try to ping 70.99.100.11 the “Bytes Out/In” doesn’t change, and my remote peer cannot see any packets entering their gateway.
How can I make sure packets for the remote IP adresses are routed via my VPN/IPSec tunnels?