Site to site ipsec vpn issue, using dummy as ipsec inteface

crycoco · February 19, 2024, 1:10am

Dear all,
Environment: Hub Spoken IPSec VPN. As the Hub end only have one/32 public IP and the interconnection address is also a private IP, I configured this IP on the Dummy interface and made the following IPSec configuration. The Spoken end is traversed through NAT on the internal network.
Hub Config:

authentication {
psk CSCN00012300 {
id CSCN00012300
id POP
secret ********
}
}
esp-group Default-ESP {
lifetime 3600
mode tunnel
pfs disable
proposal 1 {
encryption aes256
hash sha256
}
}
ike-group Default-IKE {
close-action start
dead-peer-detection {
action restart
}
key-exchange ikev1
lifetime 3600
mode aggressive
proposal 1 {
dh-group 14
encryption aes256
hash sha256
}
}
interface eth2
log {
level 2
subsystem any
}
options {
}
site-to-site {
peer CSCN00012300 {
authentication {
local-id POP
mode pre-shared-secret
remote-id CSCN00012300
}
connection-type initiate
default-esp-group Default-ESP
force-udp-encapsulation
ike-group Default-IKE
ikev2-reauth no
local-address x.x.x.x
remote-address any
vti {
esp-group Default-ESP
}
}
}

Issue: The isakmp request from Spoken to Hub can be received on the Hub side, but the Hub will redirect an error message for icmp udp port 500 unreachable

I confirm that the dummy interface IP will be used as the source IP to ping the Spoken IP, and the network is reachable

Any suggestions. Thanks~~~

Monitor Traffic：
yangbin@soonnet.com.cn@CN-SHA-PE01:~$ monitor traffic interface eth2 filter “host 218.79.117.168”
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), snapshot length 262144 bytes
08:55:44.145268 IP 218.79.117.168.30963 > 112.65.1.4.500: isakmp: phase 1 I agg
08:55:44.145343 IP 112.65.1.4 > 218.79.117.168: ICMP 112.65.199.4 udp port 500 unreachable, length 556
08:55:47.150916 IP 218.79.117.168.30963 > 112.65.1.4.500: isakmp: phase 1 I agg
08:55:47.150990 IP 112.65.1.4 > 218.79.117.168: ICMP 112.65.199.4 udp port 500 unreachable, length 556
08:55:53.170773 IP 218.79.117.168.30963 > 112.65.1.4.500: isakmp: phase 1 I agg
08:55:53.170845 IP 112.65.1.4 > 218.79.117.168: ICMP 112.65.199.4 udp port 500 unreachable, length 556
08:56:05.183255 IP 218.79.117.168.30963 > 112.65.1.4.500: isakmp: phase 1 I agg
08:56:05.183328 IP 112.65.1.4 > 218.79.117.168: ICMP 112.65.199.4 udp port 500 unreachable, length 556
08:56:14.207772 IP 218.79.117.168.30963 > 112.65.1.4.500: isakmp: phase 1 I agg
08:56:14.207844 IP 112.65.1.4 > 218.79.117.168: ICMP 112.65.199.4 udp port 500 unreachable, length 556
08:56:17.214938 IP 218.79.117.168.30963 > 112.65.1.4.500: isakmp: phase 1 I agg
08:56:17.215013 IP 112.65.1.4 > 218.79.117.168: ICMP 112.65.199.4 udp port 500 unreachable, length 556
08:56:23.233330 IP 218.79.117.168.30963 > 112.65.1.4.500: isakmp: phase 1 I agg
08:56:23.233407 IP 112.65.1.4 > 218.79.117.168: ICMP 112.65.1.4 udp port 500 unreachable, length 556

crycoco · February 19, 2024, 1:14am

dummy dum0 {
address 100.127.0.1/32
}
dummy dum1 {
address 112.65.1.4/32
vrf CNU
}
ethernet eth0 {
address 100.64.0.132/25
hw-id 00:0c:29:07:b7:34
vrf Management
}
ethernet eth1 {
address 100.64.1.14/30
hw-id 00:0c:29:07:b7:3e
offload {
lro
sg
tso
}
}
ethernet eth2 {
address 100.100.11.2/28
hw-id 00:0c:29:07:b7:99
offload {
lro
sg
tso
}
vrf CNU
}
loopback lo {
}
vti vti0 {
address 198.18.0.1/22
vrf VD-2300
}

yangbin@soonnet.com.cn@CN-SHA-PE01:~$ sh ip route vrf CNU
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure

VRF CNU:
S>* 0.0.0.0/0 [1/0] via 100.100.11.1, eth2, weight 1, 08:39:53
C>* 100.100.11.0/28 is directly connected, eth2, 08:39:59
C>* 112.65.199.4/32 is directly connected, dum1, 08:40:00

yangbin@soonnet.com.cn@CN-SHA-PE01:~$ ping 218.79.117.168 vrf CNU source-address 112.65.1.4
PING 218.79.117.168 (218.79.117.168) from 112.65.1.4 : 56(84) bytes of data.
64 bytes from 218.79.117.168: icmp_seq=1 ttl=20 time=10.1 ms
64 bytes from 218.79.117.168: icmp_seq=2 ttl=20 time=10.2 ms
64 bytes from 218.79.117.168: icmp_seq=3 ttl=20 time=10.3 ms
64 bytes from 218.79.117.168: icmp_seq=4 ttl=20 time=10.6 ms