Hi ,
I have been trying to setup a vpn from my side to client side and have been getting routing 'peer-xxxxx-tunnel-1' failed with nothing else being logged. Any idea how can I view the actual cause behind the same. I have already set the logging for all facility to all
Start with checking logs:
show log all | match charon
sudo swanctl -l
And double re-check all parameters from both sites.
Thanks for your reply but I did not find much information using these commands:
vyos@VyOS-AMI:~$ show log all | match charon
May 3 16:02:49 VyOS-AMI ipsec_starter[6472]: charon has died -- restart scheduled (5sec)
May 11 10:32:12 VyOS-AMI ipsec_starter[2737]: charon (2741) started after 100 ms
Which version of VyOS?
Following the is result of show version
vyos@VyOS-AMI:~$ show version
Version: VyOS 1.1.8
Description: VyOS 1.1.8 (helium)
Copyright: 2017 VyOS maintainers and contributors
Built by: maintainers@vyos.net
Built on: Sat Nov 11 13:44:36 UTC 2017
Build ID: 1711111344-b483efc
System type: x86 64-bit
Boot via: image
Hypervisor: Xen hvm
HW model: HVM domU
Uptime: 17:36:35 up 15 days, 7:04, 1 user, load average: 0.00, 0.01, 0.05Unfortunately, 1.1.8 is EOL.
can you point to an AWS ami which I can use ?
So I have started using the latest available version on AWS
vyos@ip-10-209-224-157:~$ show version
Version: VyOS 1.2.7
Release Train: crux
Built by: Sentrium S.L.
Built on: Fri 26 Mar 2021 10:40 UTC
Build UUID: 50a5b0b4-868d-4f86-94d3-30651f47c44d
Build Commit ID: 265c5cfd6a7090
Architecture: x86_64
Boot via: installed image
System type: KVM guest
Hardware vendor: Amazon EC2
Hardware model: t3.medium
I used the same configuration which I had used in the older version. However, it seems I not getting anything in the logs this time, not even the failure message.
Attach your configuration, hide private data.
Are you sure that you open port 500 and 4500 at the aws site?
show vpn ipsec sa
show vpn ike sa
sudo swanctl -l
Which device on the remote site?
ipsec {
esp-group <vpn-group-name> {
lifetime 3600
pfs dh-group21
proposal 1 {
encryption aes256
hash sha512
}
}
ike-group <vpn-group-name> {
ikev2-reauth no
key-exchange ikev2
lifetime 28800
proposal 1 {
dh-group 21
encryption aes256
hash sha512
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal enable
site-to-site {
peer <vendor-vpn-box-public-ip> {
authentication {
mode pre-shared-secret
pre-shared-secret <secret>
}
default-esp-group <vpn-group-name>
ike-group <vpn-group-name>
local-address <local-interface-private-ip>
tunnel 1 {
local {
prefix <my-customer-domain-encryption>
}
remote {
prefix <vendor-customer-domain-encryption>
}
}
}
}
}
vyos@ip-<local-interface-private-ip>:~$ show vpn ipsec sa
Connection State Up Bytes In/Out Remote address Remote ID Proposal
--------------------------- ------- ---- -------------- ---------------- ----------- ----------
peer-<vendor-vpn-box-public-ip>-tunnel-1 down N/A N/A N/A N/A N/A
vyos@ip-<local-interface-private-ip>:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
<vendor-vpn-box-public-ip> <local-interface address>
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
down IKEv2 n/a n/a n/a(n/a) no 0 n/a
vyos@ip-<local-interface-private-ip>:~$ sudo swanctl -l
peer-<vendor-vpn-box-public-ip>: #6, CONNECTING, IKEv2, xxxxxxxxxx* 0000000000000000_r
local '%any' @ <local-interface-private-ip>[500]
remote '%any' @ <vendor-vpn-box-public-ip> [500]
active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
I have allowed all traffic from at my side. I am not exactly sure what is being used at remote. However as per their logs when I was using 1.1.8 they were receiving a request (not reflecting in my logs) and sending me back a response which was not reflecting in logs too.
Do you get address 10.x.x.x/x via DHCP which translated to External address?
As per my understanding this should be the case. I have attached an EIP with my EC2 instance. Any specific command which can be used to check if I am missing anything.
Thanks
Try to set authentication id, where y.y.y.y - your external IP address.
del vpn ipsec site-to-site peer x.x.x.x local-address
set vpn ipsec site-to-site peer x.x.x.x dhcp-interface eth0
set vpn ipsec site-to-site peer x.x.x.x authentication id "y.y.y.y"
After commit try to restart ipsec
sudo ipsec restart
And check logs and state ike/esp/logs again.
The issue was resolved, It seemed to be an issue with my NACL where we had just allowed TCP on all ports rather than allowing UDP too. Thanks @Viacheslav for your support.
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.