Policy Based VPN IPsec

zakwan · October 15, 2024, 10:00am

Hi,

After upgrade from 1.1.8 to 1.3.6, I found that the vpn ipsec policy based are not so stable. After setting up DPD its seems much more stable.

However, when I run command show vpn ipsec sa, all tunnels shows down but I can actually ping the peer prefix.

vyos:~$ sh vpn ipsec sa
Connection                     State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
-----------------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
peer-203.x.x.x-tunnel-3   down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-4   down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-5   down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-6   down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-7   down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-8   down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-9   down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-12  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-13  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-14  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-15  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-16  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-17  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-18  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-19  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-30  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-31  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-32  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-33  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-34  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-35  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-36  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-37  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-38  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-40  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-41  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-42  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-43  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-50  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-51  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-52  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-53  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-60  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-61  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-72  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-73  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-203.x.x.x-tunnel-74  down     N/A       N/A             N/A               N/A               N/A          N/A

Why the tunnels are down but I can ping tunnel remote prefix?

zakwan · October 15, 2024, 10:08am

However I can see all tunnels up by using command “show vpn ipsec connections”

vyos:~$  sh vpn ipsec connections 
Connection                     State    Type    Remote address    Local TS           Remote TS          Local id       Remote id       Proposal
-----------------------------  -------  ------  ----------------  -----------------  -----------------  -------------  --------------  -----------------------------------
peer-203.xx.xxx.xxx-tunnel-3   up       IKEv1   203.xx.xxx.xxx    -                  -                  110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/MODP_1024
peer-203.xx.xxx.xxx-tunnel-3   up       IPsec   203.xx.xxx.xxx    192.168.27.209/32  192.168.86.0/24    110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-4   up       IPsec   203.xx.xxx.xxx    192.168.27.209/32  192.168.93.113/32  110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-5   up       IPsec   203.xx.xxx.xxx    192.168.27.209/32  192.168.97.0/24    110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-6   up       IPsec   203.xx.xxx.xxx    192.168.27.209/32  172.18.102.83/32   110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-7   up       IPsec   203.xx.xxx.xxx    192.168.27.209/32  172.18.83.125/32   110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-8   up       IPsec   203.xx.xxx.xxx    192.168.27.209/32  192.168.100.0/24   110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-9   up       IPsec   203.xx.xxx.xxx    192.168.27.209/32  172.18.99.124/32   110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-12  up       IPsec   203.xx.xxx.xxx    192.168.27.210/32  192.168.86.203/32  110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-13  up       IPsec   203.xx.xxx.xxx    192.168.27.210/32  192.168.86.67/32   110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-14  up       IPsec   203.xx.xxx.xxx    192.168.27.210/32  192.168.93.113/32  110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-15  up       IPsec   203.xx.xxx.xxx    192.168.27.210/32  192.168.97.0/24    110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-16  up       IPsec   203.xx.xxx.xxx    192.168.27.210/32  172.18.102.83/32   110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-17  up       IPsec   203.xx.xxx.xxx    192.168.27.210/32  172.18.83.125/32   110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-18  up       IPsec   203.xx.xxx.xxx    192.168.27.210/32  192.168.100.0/24   110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-19  up       IPsec   203.xx.xxx.xxx    192.168.27.210/32  172.18.99.124/32   110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-30  up       IPsec   203.xx.xxx.xxx    192.168.27.210/32  10.100.114.57/32   110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-31  up       IPsec   203.xx.xxx.xxx    192.168.27.209/32  10.100.114.57/32   110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-32  up       IPsec   203.xx.xxx.xxx    192.168.27.209/32  10.100.114.62/32   110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-33  up       IPsec   203.xx.xxx.xxx    192.168.27.210/32  10.100.114.62/32   110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-34  up       IPsec   203.xx.xxx.xxx    192.168.27.209/32  10.100.114.34/32   110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-35  up       IPsec   203.xx.xxx.xxx    192.168.27.210/32  10.100.114.34/32   110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-36  up       IPsec   203.xx.xxx.xxx    192.168.27.209/32  10.100.114.35/32   110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-37  up       IPsec   203.xx.xxx.xxx    192.168.27.210/32  10.100.114.35/32   110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-38  up       IPsec   203.xx.xxx.xxx    192.168.27.210/32  10.100.114.135/32  110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-40  up       IPsec   203.xx.xxx.xxx    192.168.27.209/32  172.16.61.113/32   110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-41  up       IPsec   203.xx.xxx.xxx    192.168.27.210/32  172.16.61.113/32   110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-42  up       IPsec   203.xx.xxx.xxx    192.168.27.209/32  172.16.61.114/32   110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-43  up       IPsec   203.xx.xxx.xxx    192.168.27.210/32  172.16.61.114/32   110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-50  up       IPsec   203.xx.xxx.xxx    192.168.27.209/32  172.16.61.35/32    110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-51  up       IPsec   203.xx.xxx.xxx    192.168.27.210/32  172.16.61.35/32    110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-52  up       IPsec   203.xx.xxx.xxx    192.168.27.209/32  172.16.61.20/32    110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-53  up       IPsec   203.xx.xxx.xxx    192.168.27.210/32  172.16.61.20/32    110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-60  up       IPsec   203.xx.xxx.xxx    192.168.27.209/32  10.100.114.118/32  110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-61  up       IPsec   203.xx.xxx.xxx    192.168.27.210/32  10.100.114.118/32  110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-72  up       IPsec   203.xx.xxx.xxx    192.168.27.210/32  10.100.106.49/32   110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-73  up       IPsec   203.xx.xxx.xxx    192.168.27.210/32  172.28.80.22/32    110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None
peer-203.xx.xxx.xxx-tunnel-74  up       IPsec   203.xx.xxx.xxx    192.168.27.209/32  172.28.80.22/32    110.xx.xxx.xx  203.xx.xxx.xxx  3DES_CBC/None/HMAC_MD5_96/None

system · October 29, 2024, 10:09am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.