Packets not routed via IPSec tunnels

General questions
1

I’m running Brocade vRouter 5600 which is based upon Vyatta.

I’ve got 2 gateways running in high availability, and they’ve run in a couple of years working fine.

I’m trying to setup a VPN/IPSec on one of my gateways, and have packets routed via the 4 tunnels created.

This is my configurations commands:

set security vpn ipsec esp-group MY-ESP compression 'disable'
set security vpn ipsec esp-group MY-ESP lifetime '3600'
set security vpn ipsec esp-group MY-ESP mode 'tunnel'
set security vpn ipsec esp-group MY-ESP pfs 'dh-group5'
set security vpn ipsec esp-group MY-ESP proposal 1 encryption 'aes256'
set security vpn ipsec esp-group MY-ESP proposal 1 hash 'sha1'

set security vpn ipsec ike-group MY-IKEV1 dead-peer-detection action 'restart'
set security vpn ipsec ike-group MY-IKEV1 dead-peer-detection interval '20'
set security vpn ipsec ike-group MY-IKEV1 dead-peer-detection timeout '90'
set security vpn ipsec ike-group MY-IKEV1 ike-version '1'
set security vpn ipsec ike-group MY-IKEV1 lifetime '86400'
set security vpn ipsec ike-group MY-IKEV1 proposal 1 dh-group '5'
set security vpn ipsec ike-group MY-IKEV1 proposal 1 encryption 'aes256'
set security vpn ipsec ike-group MY-IKEV1 proposal 1 hash 'sha1'

set security vpn ipsec site-to-site peer 70.21.22.99 authentication mode 'pre-shared-secret'
set security vpn ipsec site-to-site peer 70.21.22.99 authentication pre-shared-secret 'PSK'
set security vpn ipsec site-to-site peer 70.21.22.99 connection-type 'initiate'
set security vpn ipsec site-to-site peer 70.21.22.99 default-esp-group 'MY-ESP'
set security vpn ipsec site-to-site peer 70.21.22.99 description 'MY VPN GW1'
set security vpn ipsec site-to-site peer 70.21.22.99 ike-group 'MY-IKEV1'
set security vpn ipsec site-to-site peer 70.21.22.99 local-address '5.67.88.253'    
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 0 local prefix '201.199.10.11/32'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 0 remote prefix '70.99.100.11/32'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 1 local prefix '211.198.11.22/32'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 1 remote prefix '70.99.100.9032'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 2 local prefix '211.198.11.90/32'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 2 remote prefix '70.101.100.11/32'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 3 local prefix '201.199.11.66/32'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 3 remote prefix '5.100.90.21/32'

This result in the following with show vpn ipsec sa peer 70.21.22.99:

Peer ID / IP                            Local ID / IP
 ------------                            -------------
70.21.22.99                            5.67.88.253

Description: MY VPN GW1

Tunnel  Id          State  Bytes Out/In   Encrypt       Hash      DH A-Time  L-Time
------  ----------  -----  -------------  ------------  --------  -- ------  ------
0       7           up     0.0/0.0        aes256        sha1      5  93      3600
1       8           up     0.0/0.0        aes256        sha1      5  93      3600
2       9           up     0.0/0.0        aes256        sha1      5  93      3600
3       10          up     0.0/0.0        aes256        sha1      5  93      3600

But when I ex. try to ping 70.99.100.11 the “Bytes Out/In” doesn’t change, and my remote peer cannot see any packets entering their gateway.

How can I make sure packets for the remote IP adresses are routed via my VPN/IPSec tunnels?

2

You can drop email to sales@vyos.io for commercial support options
This forum is for VyOS and we not support Vyatta deployments here

3

I had hoped the configuration commands would be similar between VyOS and Vyatta?

4

Are the pings being sourced from the local prefix subnet? If not, they will not be interesting traffic to the ipsec policy and not encrypted.