[SOLVED] How can I disable "Peer ID" for my VPN?


#1

Hi everyone

I’m trying to set up a site-to-site VPN connection, and am now at a point, where 2 IKE messages from my end are answered by the other end, but the third message does not receive an answer.

The admin from the other side can see on his firewall that an IKE packet from me was rejected:

That admin is telling me that’s because I have “Peer ID enabled”. So how can I disable it?

Here’s one thing I tried - without success:

# set vpn ipsec site-to-site peer x.x.x.x authentication id ""

  invalid ID ""
  Value validation failed
  Set failed

Here’s my configuration, that makes clear that I did not set up a Peer ID explicitly in the authentication {} groups.

vpn {
    ipsec {
        esp-group ESP-1W {
            compression disable
            lifetime 4800
            mode tunnel
            pfs dh-group20
            proposal 1 {
                encryption aes256
                hash sha256
            }
        }
        ike-group IKE-1W {
            ikev2-reauth no
            key-exchange ikev1
            lifetime 86400
            proposal 1 {
                dh-group 20
                encryption aes256
                hash sha256
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        nat-traversal enable
        site-to-site {
            peer x.x.x.x {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                default-esp-group ESP-1W
                ike-group IKE-1W
                ikev2-reauth inherit
                local-address 192.168.30.34
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group ESP-1W
                    local {
                        prefix z.z.z.z/32
                    }
                    remote {
                        prefix a.a.a.a/32
                    }
                }
            }
            peer y.y.y.y {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                default-esp-group ESP-1W
                ike-group IKE-1W
                ikev2-reauth inherit
                local-address 192.168.30.34
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group ESP-1W
                    local {
                        prefix z.z.z.z/32
                    }
                    remote {
                        prefix b.b.b.b/32
                    }
                }
            }
        }
    }
}

#2

I’ve managed to connect to the other side now. But rather than disabling the Peer ID as suggest by the admin, I had to explicitly set it to the correct IP address, like so:

set vpn ipsec site-to-site peer x.x.x.x authentication id 'a.a.a.a'

The reason the Peer ID has to be different from the Peer IP is that the VyOS router sits behind NAT, so it will changed the source IP of outgoing packets. That means I have to set the id to that NATted address that the other VPN side will see, which, luckily, is static in my case.