Unable to pass traffic over ipsec VPN


#1

I’ve got VyOS running 1.1.7 in Amazon AWS. It’s inside a VPC with some other servers. I’ve got a tunnel up, and can ping hosts on both sides of the connection from inside of the VyOS server. However I can not ping from hosts on either the Amazon side or the site side to each other. I’ve been scouring the forums and can’t seem to find an answer to make it work. The VyOS server is configured as 10.0.0.10 and I have a route in the VPC route table for 10.0.1.0/24 to point to 10.0.0.10 to route the traffic. I think I’m just missing something obvious, or it’s late on a Friday and my brain just isn’t working. Here is my sanitized config:

interfaces { ethernet eth0 { address dhcp duplex auto hw-id xx:xx:xx:xx:xx:xx smp_affinity auto speed auto } loopback lo { } } service { ssh { disable-password-authentication port 22 } } system { config-management { commit-revisions 20 } console { device ttyS0 { speed 9600 } } host-name VyOS-AMI login { user vyos { authentication { encrypted-password **************** plaintext-password **************** public-keys xxxxxxxxxxx { key **************** type ssh-rsa } } level admin } } ntp { server 0.pool.ntp.org { } server 1.pool.ntp.org { } server 2.pool.ntp.org { } } package { auto-sync 1 repository community { components main distribution helium password **************** url http://packages.vyos.net/vyos username "" } } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone UTC } vpn { ipsec { esp-group esp_site1 { compression disable lifetime 28800 mode tunnel pfs dh-group2 proposal 1 { encryption aes256 hash sha1 } } ike-group ike_site1 { dead-peer-detection { action restart } key-exchange ikev1 lifetime 28800 proposal 1 { dh-group 2 encryption aes256 hash sha1 } } ipsec-interfaces { interface eth0 } nat-networks { } nat-traversal enable site-to-site { peer x.x.x.x { authentication { id y.y.y.y mode pre-shared-secret pre-shared-secret **************** remote-id x.x.x.x } default-esp-group esp_site1 ike-group ike_site1 local-address 10.0.0.10 tunnel 1 { local { prefix 10.0.0.0/24 } remote { prefix 10.0.1.0/24 } } } } } }


#2

I was able to get this solved. I just needed to turn off Source/Dest checking on the VyOS instance. Once I did that, I was able to go into the route table and could see the instance in their as an option rather than me having to manually type it in as before. Traffic is now routing perfectly.


#3

Hi Mike, how do you did that?
Thanks