Hello Everyone,
I’ve been working on setting up a VyOS (1.3.x) site-to-site VPN tunnel to my Azure resource cloud, I used this link and when I was configuring I lost my internet access to all of sites from VyOS :
admin@vyos# set vpn ipsec site-to-site peer x.x.x.x authentication id ‘y.y.y.y’
set vpn ipsec site-to-site peer x.x.x.x authentication remote-id ‘x.x.x.x’
set vpn ipsec site-to-site peer x.x.x.x connection-type ‘respond’
set vpn ipsec site-to-site peer x.x.x.x description ‘AZURE TUNNEL’
set vpn ipsec site-to-site peer x.x.x.x ike-group ‘AZUREI’
set vpn ipsec site-to-site peer x.x.x.x ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer x.x.x.x local-address ‘10.130.90.1’
set vpn ipsec site-to-site peer x.x.x.x vti bind ‘vti1’
set vpn ipsec site-to-site peer x.x.x.x vti esp-group ‘AZURE’[edit]
admin@vyos# set vpn ipsec site-to-site peer x.x.x.x authentication mode ‘pre-shared-secret’
[edit]
admin@vyos# set vpn ipsec site-to-site peer x.x.x.x authentication pre-shared-secret ‘**********’
[edit]
admin@vyos# set vpn ipsec site-to-site peer x.x.x.x authentication remote-id ‘x.x.x.x’
[edit]
admin@vyos# set vpn ipsec site-to-site peer x.x.x.x connection-type ‘respond’
[edit]
admin@vyos# set vpn ipsec site-to-site peer x.x.x.x description ‘AZURE TUNNEL’
[edit]
admin@vyos# set vpn ipsec site-to-site peer x.x.x.x ike-group ‘AZURE’
[edit]
admin@vyos# set vpn ipsec site-to-site peer x.x.x.x ikev2-reauth ‘inherit’
[edit]
admin@vyos# set vpn ipsec site-to-site peer x.x.x.x local-address ‘10.130.90.1’
[edit]
admin@vyos# set vpn ipsec site-to-site peer x.x.x.x vti bind ‘vti1’
[edit]
admin@vyos# set vpn ipsec site-to-site peer x.x.x.x vti esp-group ‘AZURE’
[edit]
admin@vyos# commit
[ vpn ]
Warning: Local address 10.130.90.1 specified for peer “x.x.x.x”
is not configured on any of the ipsec-interfaces and is not the
clustering address. IPsec must be re-started after address
has been configured.
My Lan (eth0) interfaces are:
10.130.90.1/24
10.130.0.1/24
10.130.90.254/24
x.x.x.x is Azure VNet Gateway public IP
y.y.y.y is my public IP address
I also set a public IP on WAN interface (eth1), I think I lost my internet after I used:
set vpn ipsec site-to-site peer “x.x.x.x” local-address ‘10.130.90.1’
I used 10.130.90.1 as a private IP address.
do you have any ideas guys ?
Hi @Dmitry no I didn’t check because after I got this messagfe I lost connection to network and sites so I had to restored last vyos snapshot again to fix it.
admin@vyos# commit
[ vpn ]
Warning: Local address 10.130.90.1 specified for peer “x.x.x.x”
is not configured on any of the ipsec-interfaces and is not the
clustering address. IPsec must be re-started after address
has been configured.
We have a Vcenter (located in datacenter) that everything connected to the VyOS firewall, we have just one firewall and I have remote access to the VM on Vcenter so we don’t have access if firewall goes down! maybe I need to have second firewall ?!
last time I lost everything and asked Datacenter to restore last snapshot … because of this and I need to make sure about configuration before do anything.
Hi @Dmitry, thanks for your help again
I wanna try to setup it again but I have some question before do it, I wanted to know if I can’t resolve the problem with that command, how can I check all parameters to find the problem on VyOS ?
do you have any idea ?
Hi @Dmitry and @Viacheslav
I want to put all of my configuration again, I have a Vcenter with some VM machines and one VyOS firewall on it, I have one IPsec tunnel to another site and because of this I activate IPsec on it (eth1) before and it’s working fine so I added this before: set vpn ipsec ipsec-interfaces interface 'eth1'
Now I’m trying to have a VPN tunnel between Azure and VyOS again, I used this link
my configuration on VyOS:
# IKE Config
set vpn ipsec esp-group AZURE compression ‘disable’
set vpn ipsec esp-group AZURE lifetime ‘3600’
set vpn ipsec esp-group AZURE mode ‘tunnel’
set vpn ipsec esp-group AZURE pfs ‘dh-group2’
set vpn ipsec esp-group AZURE proposal 1 encryption ‘aes256’
set vpn ipsec esp-group AZURE proposal 1 hash ‘sha1’
set vpn ipsec ike-group AZURE dead-peer-detection action ‘restart’
set vpn ipsec ike-group AZURE dead-peer-detection interval ‘15’
set vpn ipsec ike-group AZURE dead-peer-detection timeout ‘30’
set vpn ipsec ike-group AZURE ikev2-reauth ‘yes’
set vpn ipsec ike-group AZURE key-exchange ‘ikev2’
set vpn ipsec ike-group AZURE lifetime ‘28800’
set vpn ipsec ike-group AZURE proposal 1 dh-group ‘2’
set vpn ipsec ike-group AZURE proposal 1 encryption ‘aes256’
set vpn ipsec ike-group AZURE proposal 1 hash ‘sha1’
# Dummy VTI IP
set interfaces vti vti1 address '10.130.100.1/32'
set interfaces vti vti1 description 'Azure Tunnel'
# MSS
set firewall options interface vti1 adjust-mss 1350
# IPSEC Config
set vpn ipsec site-to-site peer 62.255.61.23 authentication id 'x.x.x.x'
set vpn ipsec site-to-site peer 62.255.61.23 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 62.255.61.23 authentication pre-shared-secret '***********'
set vpn ipsec site-to-site peer 62.255.61.23 authentication remote-id '62.255.61.23'
set vpn ipsec site-to-site peer 62.255.61.23 connection-type 'respond'
set vpn ipsec site-to-site peer 62.255.61.23 description 'AZURE TUNNEL'
set vpn ipsec site-to-site peer 62.255.61.23 ike-group 'AZURE'
set vpn ipsec site-to-site peer 62.255.61.23 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 62.255.61.23 local-address '10.130.90.1'
set vpn ipsec site-to-site peer 62.255.61.23 vti bind 'vti1'
set vpn ipsec site-to-site peer 62.255.61.23 vti esp-group 'AZURE'
# BGP Listener
set protocols static interface-route 10.10.0.254/32 next-hop-interface vti1
# BGP Settings
set protocols bgp 65534 neighbor 10.10.0.254 remote-as '65517'
set protocols bgp 65534 neighbor 10.10.0.254 address-family ipv4-unicast soft-reconfiguration 'inbound'
set protocols bgp 65534 neighbor 10.10.0.254 timers holdtime '30'
set protocols bgp 65534 neighbor 10.10.0.254 timers keepalive '10'
# Connection Check Disable
set protocols bgp 65532 neighbor 10.10.0.254 disable-connected-check
My Lan (eth0) interfaces are:
10.130.90.1/24
10.130.0.1/24
10.130.90.254/24
I also have x.x.x.x as a public IP address on WAN (eth1) Interface.
Yes, in azure everything is fine.
when I was configuring I lost my network access and had to restore last snapshot to have everything again so I didn’t have any chance to see logs!
my question is why I lost everything after add commands and how can I fix it.
it’s happened after this step:
admin@vyos# set vpn ipsec site-to-site peer x.x.x.x authentication id ‘y.y.y.y’
set vpn ipsec site-to-site peer x.x.x.x authentication remote-id ‘x.x.x.x’
set vpn ipsec site-to-site peer x.x.x.x connection-type ‘respond’
set vpn ipsec site-to-site peer x.x.x.x description ‘AZURE TUNNEL’
set vpn ipsec site-to-site peer x.x.x.x ike-group ‘AZUREI’
set vpn ipsec site-to-site peer x.x.x.x ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer x.x.x.x local-address ‘10.130.90.1’
set vpn ipsec site-to-site peer x.x.x.x vti bind ‘vti1’
set vpn ipsec site-to-site peer x.x.x.x vti esp-group ‘AZURE’[edit]
admin@vyos# set vpn ipsec site-to-site peer x.x.x.x authentication mode ‘pre-shared-secret’
[edit]
admin@vyos# set vpn ipsec site-to-site peer x.x.x.x authentication pre-shared-secret ‘**********’
[edit]
admin@vyos# set vpn ipsec site-to-site peer x.x.x.x authentication remote-id ‘x.x.x.x’
[edit]
admin@vyos# set vpn ipsec site-to-site peer x.x.x.x connection-type ‘respond’
[edit]
admin@vyos# set vpn ipsec site-to-site peer x.x.x.x description ‘AZURE TUNNEL’
[edit]
admin@vyos# set vpn ipsec site-to-site peer x.x.x.x ike-group ‘AZURE’
[edit]
admin@vyos# set vpn ipsec site-to-site peer x.x.x.x ikev2-reauth ‘inherit’
[edit]
admin@vyos# set vpn ipsec site-to-site peer x.x.x.x local-address ‘10.130.90.1’
[edit]
admin@vyos# set vpn ipsec site-to-site peer x.x.x.x vti bind ‘vti1’
[edit]
admin@vyos# set vpn ipsec site-to-site peer x.x.x.x vti esp-group ‘AZURE’
[edit]
admin@vyos# commit
[ vpn ]
Warning: Local address 10.130.90.1 specified for peer “x.x.x.x”
is not configured on any of the ipsec-interfaces and is not the
clustering address. IPsec must be re-started after address
has been configured.
I also have 10.130.90.1/24 on my eth0 (LAN) and public ip (x.x.x.x) is on my eth1 (WAN).
in my VyOS Fw I have another Ipsec for another site that working fine and set on my eth1: