I am trying to configure NRHP/dmVPN connection between two VyOS virtuale machines.
All i get in the log on the hub is:
Jul 10 19:25:42 nhrp-server pluto[2297]: packet from 193.200.225.69:2202: received Vendor ID payload [strongSwan]
Jul 10 19:25:42 nhrp-server pluto[2297]: packet from 193.200.225.69:2202: ignoring Vendor ID payload [Cisco-Unity]
Jul 10 19:25:42 nhrp-server pluto[2297]: packet from 193.200.225.69:2202: received Vendor ID payload [XAUTH]
Jul 10 19:25:42 nhrp-server pluto[2297]: packet from 193.200.225.69:2202: received Vendor ID payload [Dead Peer Detection]
Jul 10 19:25:42 nhrp-server pluto[2297]: packet from 193.200.225.69:2202: initial Main Mode message received on 178.209.169.12:500 but no connection has been authorized with policy=PSK
Can anyone see why?
My client’s is behind a nat router, that i don’t have access to.
Hub configuration:
interfaces {
ethernet eth0 {
address 178.209.169.12/29
duplex auto
hw-id 00:15:5d:fb:7e:c2
smp_affinity auto
speed auto
}
loopback lo {
}
tunnel tun0 {
address 10.0.0.1/24
encapsulation gre
local-ip 178.209.169.12
multicast enable
parameters {
ip {
key ****************
}
}
}
}
protocols {
nhrp {
tunnel tun0 {
cisco-authentication SECRET
holding-time 300
multicast dynamic
redirect
}
}
static {
route 0.0.0.0/0 {
next-hop 178.209.169.9 {
distance 20
}
}
}
}
service {
ssh {
listen-address 178.209.169.12
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
host-name nhrp-server
login {
user XXXXXX {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
}
name-server 178.209.170.3
name-server 178.209.172.3
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password ****************
url http://packages.vyos.net/vyos
username ""
}
}
syslog {
global {
facility all {
level debug
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
vpn {
ipsec {
esp-group ESP-HUB1 {
compression disable
lifetime 1800
mode tunnel
pfs dh-group2
proposal 1 {
encryption aes256
hash sha1
}
proposal 2 {
encryption 3des
hash md5
}
}
ike-group IKE-HUB1 {
ikev2-reauth no
key-exchange ikev1
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
proposal 2 {
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
profile NHRPVPN {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
bind {
tunnel tun0
}
esp-group ESP-HUB1
ike-group IKE-HUB1
}
}
}
Client:
interfaces {
ethernet eth0 {
address 172.16.1.1/29
duplex auto
hw-id 00:0c:29:5b:19:24
smp_affinity auto
speed auto
}
ethernet eth1 {
duplex auto
hw-id 00:0c:29:5b:19:2e
smp_affinity auto
speed auto
}
loopback lo {
}
tunnel tun0 {
address 10.0.0.2/24
encapsulation gre
local-ip 0.0.0.0
multicast enable
parameters {
ip {
key ****************
}
}
}
}
protocols {
nhrp {
tunnel tun0 {
cisco-authentication Lim87Hus!
map 10.0.0.1/24 {
nbma-address 178.209.169.12
register
}
multicast nhs
redirect
shortcut
}
}
static {
route 0.0.0.0/0 {
next-hop 172.16.1.6 {
distance 20
}
}
}
}
service {
ssh {
listen-address 172.16.1.1
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
host-name nhrp-silk-rtr01
login {
user XXXXXX{
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password ****************
url http://packages.vyos.net/vyos
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
vpn {
ipsec {
auto-update 30
esp-group ESP-SPOKE1 {
compression disable
lifetime 1800
mode tunnel
pfs dh-group2
proposal 1 {
encryption aes256
hash sha1
}
proposal 2 {
encryption 3des
hash md5
}
}
ike-group IKE-SPOKE1 {
ikev2-reauth no
key-exchange ikev1
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
proposal 2 {
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
profile NHRPVPN {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
bind {
tunnel tun0
}
esp-group ESP-SPOKE1
ike-group IKE-SPOKE1
}
}
}