Trying to setup site-to-site VPN with tunnel failover


#1

Hiya.

I’m trying to setup a site-to-site VPN between AWS and another cloud provider, with 2 VyOS instances on our AWS end connecting to an ASA at the remote end, with the tunnel failing over to the second VyOS if the first link goes down for any reason.

VyOS A –
------- ASA
VyOS B – /

The two VyOS devices are configured with connection-type “respond”, because we only want one tunnel up at a time, and we want the remote ASA to deal with failing over if/when it needs to.

The tunnel appears to come up properly (show vpn ipsec sa shows it as up on the first VyOS device, but down on the second), and all appears good to start with. However, after a fairly short while, pings from the remote network back into our AWS infrastructure stop working. If we send a ping back from AWS to the remote end, that goes through OK and suddenly pings back from them start again, for a while. The really confusing thing is that when we end up having to do that, the ASA at the remote end shows that the tunnel itself has been initiated by our VyOS, even though the configuration specifically says ‘respond’ at our end.

The relevant VyOS configuration is this (identical on both of our VyOS devices except for the local IP):

[code]vpn {
ipsec {
esp-group aws-remote-esp {
compression disable
lifetime 86400
mode tunnel
pfs dh-group5
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group aws-remote-ike {
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
site-to-site {
peer xx.xx.xx.xx {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type respond
default-esp-group aws-remote-esp
ike-group aws-remote-ike
local-address xx.xx.xx.xx
tunnel 0 {
allow-nat-networks disable
allow-public-networks disable
esp-group aws-remote-esp
local {
prefix xx.xx.xx.xx/16
}
remote {
prefix xx.xx.xx.xx/24
}
}
}

[/code]

But after we have to kick it with a ping from AWS, the ASA at the remote end is showing this:

6 IKE Peer: xx.xx.xx.xx Type : L2L Role : responder Rekey : no State : MM_ACTIVE

Note that it’s showing as responder, even though our end is configured to be respond only.

[code]vyos@VyOS-AMI:~$ show system image
The system currently has the following image(s) installed:

1: VyOS-1.1.7 (default boot) (running image)
[/code]


#2

I doubt this will ever work. ASA will end up with 2 identical cryptomaps for remote networks, but I guess it will always use the first.
Also, initiate/respond-only are “blurry terms.” On edgeOS (same Vyatta roots) there were times you had to put both sides to respond-only…to get a working VPN.

You can’t do VTI or GRE tunnels on ASA, so get something on the ASA inside to create 2 GRE tunnels, have them both up simultaneously and use OSPF for redundancy


#3

The ASA config seems to be fine, it’s defined as

And only one of the tunnels is ever brought up at a time.

The fact that respond appears to be more of a suggestion than an actual setting is frustrating. Any idea why the ping from the far end stops working the way it does?


#4

Never knew you could use multiple peer IPs on single crypto map…
To tackle ping problem, disable tunnel on VyOS2 , and see if tunnel runs fine from only VyOS1 .

As soon as 2nd tunnel kicks in, it will mess up the 1st