Hello,
I’m trying to connect Vyos to Cisco ASA and getting only this error:
pluto[21150]: added connection description “peer-$IP_DEST-tunnel-1”
ipsec_starter[21149]: routing ‘peer-$IP_DEST-tunnel-1’ failed
In the other side, the errrors are:
PROTO-4: (697): Searching policy based on peer’s identity ‘$IP_ORIG’ of type ‘IPv4 address’
IKEv2-PLAT-4: (697): New generic remote access client connection detected based on received address request
IKEv2-PLAT-2: (697): mapped to wrong tunnel group $IP_ORIG of type ipsec-l2l for RA peerIKEv2-PROTO-2: (697): Failed to locate an item in the database
The answer of CISCO provider is “Vyos appears to be attempting to build a remote-access VPN rather than a Lan to Lan (site to site/S2S/business to business)”, but the configuration is all with “vpn ipsec site-to-site”
Any ideas that what can be happening?
Thanks in advance.
@Ivnosys Can you provide configuration from both sides?
Dmitry
June 24, 2020, 6:34pm
3
I think @Ivnosys use 1.1.8 (because pluto
daemon ) which is EOL now.
I propose update to 1.3 rolling.
The Vyos vpn configuration:
esp-group esp {
compression disable
lifetime 3600
mode tunnel
pfs dh-group14
proposal 1 {
encryption aes256
hash sha256
}
ike-group ike {
dead-peer-detection {
action restart
interval 15
timeout 30
}
ikev2-reauth yes
key-exchange ikev2
lifetime 86400
proposal 1 {
dh-group 14
encryption aes256
hash sha256
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal enable
peer $IP_DEST {
authentication {
id $IP_ORIG
mode pre-shared-secret
pre-shared-secret ********
remote-id @$HOST_DEST.$DOM_DEST
}
connection-type initiate
default-esp-group esp
ike-group ike
ikev2-reauth yes
local-address $IP_ORIG
tunnel 1 {
local {
prefix 192.168.1.0/24
}
protocol all
remote {
prefix 10.0.0.0/24
}
}
}
The CISCO ASA configuration:
ASA Version 9.12(3)12
!
hostname $HOST_DEST
domain-name $DOM_DEST
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 172.22.26.43 255.255.255.0 standby 172.22.26.44
object network Client_DTI
subnet 192.168.1.0 255.255.255.0
object network DTI_Local
subnet 10.0.0.0 255.255.255.0
crypto ipsec ikev2 ipsec-proposal sha256
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto map outside_map 51 match address outside_cryptomap_54
crypto map outside_map 51 set pfs group14
crypto map outside_map 51 set peer $IP_ORIG
crypto map outside_map 51 set ikev2 ipsec-proposal sha256
crypto map outside_map 51 set ikev2 pre-shared-key ########
crypto map outside_map 51 set reverse-route
crypto isakmp identity hostname
crypto isakmp nat-traversal 30
crypto ikev2 policy 65
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
group-policy POLITICA_L2L_DTI_CLIENT internal
group-policy POLITICA_L2L_DTI_CLIENT attributes
vpn-tunnel-protocol ikev2
tunnel-group $IP_ORIG type ipsec-l2l
tunnel-group $IP_ORIG general-attributes
default-group-policy POLITICA_L2L_DTI_CLIENT
tunnel-group $IP_ORIG ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key ########
ikev2 local-authentication pre-shared-key ########
!