Hello. Actually, i`m an EdgeRouter user and want to connect my home router with VyOS 1.2.0-rolling+201903060337 installed on Cloud VPS. But i have a strange situation - when i set both side as “connection-type initiate” then EdgeOS cannot connect to VyOS, “show vpn ipsec sa” output said “CONNECTING”.
Connection from VyOS to EdgeOS (“connection-type respond” on EdgeOS side) - no problem, everything works.
Tcpdump on VyOS side shows inbound packets from EdgeOS to port 500/udp, but no packets shows on VTI.
Is there any firewall rules, that prevent connecting? I set it like on EdgeOS see bellow:
> set firewall name WAN_LOCAL default-action drop
> set firewall name WAN_LOCAL rule 10 action drop
> set firewall name WAN_LOCAL rule 10 description 'Drop invalid state'
> set firewall name WAN_LOCAL rule 10 state invalid enable
> set firewall name WAN_LOCAL rule 20 action accept
> set firewall name WAN_LOCAL rule 20 description 'Allow established/related'
> set firewall name WAN_LOCAL rule 20 state established enable
> set firewall name WAN_LOCAL rule 20 state related enable
> set firewall name WAN_LOCAL rule 30 action accept
> set firewall name WAN_LOCAL rule 30 description 'ping from all'
> set firewall name WAN_LOCAL rule 30 icmp type 8
> set firewall name WAN_LOCAL rule 30 protocol icmp
> set vpn ipsec site-to-site peer x.x.x.x authentication mode pre-shared-secret
> set vpn ipsec site-to-site peer x.x.x.x authentication pre-shared-secret SECRET
> set vpn ipsec site-to-site peer x.x.x.x connection-type initiate
> set vpn ipsec site-to-site peer x.x.x.x default-esp-group esp-default
> set vpn ipsec site-to-site peer x.x.x.x ike-group ike-default
> set vpn ipsec site-to-site peer x.x.x.x ikev2-reauth inherit
> set vpn ipsec site-to-site peer x.x.x.x local-address y.y.y.y
> set vpn ipsec site-to-site peer x.x.x.x vti bind vti1
> set vpn ipsec site-to-site peer x.x.x.x vti esp-group esp-default