Site-to-site with VyOS and EdgeOS

ipsec

#1

Hello. Actually, i`m an EdgeRouter user and want to connect my home router with VyOS 1.2.0-rolling+201903060337 installed on Cloud VPS. But i have a strange situation - when i set both side as “connection-type initiate” then EdgeOS cannot connect to VyOS, “show vpn ipsec sa” output said “CONNECTING”.
Connection from VyOS to EdgeOS (“connection-type respond” on EdgeOS side) - no problem, everything works.
Tcpdump on VyOS side shows inbound packets from EdgeOS to port 500/udp, but no packets shows on VTI.

Is there any firewall rules, that prevent connecting? I set it like on EdgeOS see bellow:

> set firewall name WAN_LOCAL default-action drop
> set firewall name WAN_LOCAL rule 10 action drop
> set firewall name WAN_LOCAL rule 10 description 'Drop invalid state'
> set firewall name WAN_LOCAL rule 10 state invalid enable
> set firewall name WAN_LOCAL rule 20 action accept
> set firewall name WAN_LOCAL rule 20 description 'Allow established/related'
> set firewall name WAN_LOCAL rule 20 state established enable
> set firewall name WAN_LOCAL rule 20 state related enable
> set firewall name WAN_LOCAL rule 30 action accept
> set firewall name WAN_LOCAL rule 30 description 'ping from all'
> set firewall name WAN_LOCAL rule 30 icmp type 8
> set firewall name WAN_LOCAL rule 30 protocol icmp

> set vpn ipsec site-to-site peer x.x.x.x authentication mode pre-shared-secret
> set vpn ipsec site-to-site peer x.x.x.x authentication pre-shared-secret SECRET
> set vpn ipsec site-to-site peer x.x.x.x connection-type initiate
> set vpn ipsec site-to-site peer x.x.x.x default-esp-group esp-default
> set vpn ipsec site-to-site peer x.x.x.x ike-group ike-default
> set vpn ipsec site-to-site peer x.x.x.x ikev2-reauth inherit
> set vpn ipsec site-to-site peer x.x.x.x local-address y.y.y.y
> set vpn ipsec site-to-site peer x.x.x.x vti bind vti1
> set vpn ipsec site-to-site peer x.x.x.x vti esp-group esp-default

#2

If you add two rules for the VPN traffic it will work.
Protocol UDP port 500, 4500
Protocol ESP


#3

Yea, you right - VyOS does not created special iptables chain for IPsec processing, only EdgeOS have this by default.
I created another rule in WAN_LOCAL and everything works now.
Is this right way or i should do this in some other place?


#4

Hi, that is the correct place. Great that it is working.


closed #5

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.