Vpn ipsec ikev1

jorch · February 20, 2024, 9:59am

Hello everyone,

I hope you can help me

I am trying to set up a VPN tunnel between two Vyos version 1.3.6 routers on a virtual platform where they are connected to a virtual router.
The scenario is the following:
Each vyos router has a single interface with the internal IP and a floating IP with which it goes out to the Internet. The floating one is assigned to the same internal network port so I don’t have 2 separate interfaces but all in one.
The device has access to the Internet and there is nothing filtered by security rules between the two deployed vyos, you can ping between them without problem
The config is the following:

R1

set vpn ipsec esp-group bcn-esp compression ‘disable’
set vpn ipsec esp-group bcn-esp lifetime ‘1800’
set vpn ipsec esp-group bcn-esp mode ‘tunnel’
set vpn ipsec esp-group bcn-esp pfs ‘disable’
set vpn ipsec esp-group bcn-esp proposal 1 encryption ‘aes256’
set vpn ipsec esp-group bcn-esp proposal 1 hash ‘sha1’
set vpn ipsec ike-group bcn-ike ikev2-reauth ‘no’
set vpn ipsec ike-group bcn-ike key-exchange ‘ikev1’
set vpn ipsec ike-group bcn-ike lifetime ‘1800’
set vpn ipsec ike-group bcn-ike proposal 1 encryption ‘aes256’
set vpn ipsec ike-group bcn-ike proposal 1 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec site-to-site peer PUBLIC IP R2 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer PUBLIC IP R2 authentication pre-shared-secret ‘Password’
set vpn ipsec site-to-site peer PUBLIC IP R2 ike-group ‘bcn-ike’
set vpn ipsec site-to-site peer PUBLIC IP R2 local-address ‘IP PUBLIC R1’
set vpn ipsec site-to-site peer PUBLIC IP R2 tunnel 0 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer PUBLIC IP R2 tunnel 0 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer PUBLIC IP R2 tunnel 0 esp-group ‘bcn-esp’
set vpn ipsec site-to-site peer PUBLIC IP R2 tunnel 0 local prefix ‘192.168.1.0/24’
set vpn ipsec site-to-site peer PUBLIC IP R2 tunnel 0 remote prefix ‘172.16.2.0/24’

R2

set vpn ipsec esp-group mad-esp compression ‘disable’
set vpn ipsec esp-group mad-esp lifetime ‘1800’
set vpn ipsec esp-group mad-esp mode ‘tunnel’
set vpn ipsec esp-group mad-esp pfs ‘disable’
set vpn ipsec esp-group mad-esp proposal 1 encryption ‘aes256’
set vpn ipsec esp-group mad-esp proposal 1 hash ‘sha1’
set vpn ipsec ike-group mad-ike ikev2-reauth ‘no’
set vpn ipsec ike-group mad-ike key-exchange ‘ikev1’
set vpn ipsec ike-group mad-ike lifetime ‘1800’
set vpn ipsec ike-group madike proposal 1 encryption ‘aes256’
set vpn ipsec ike-group mad-ike proposal 1 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec site-to-site peer PUBLIC IP R1 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer PUBLIC IP R1 authentication pre-shared-secret ‘not-so-secret’
set vpn ipsec site-to-site peer PUBLIC IP R1 ike-group ‘mad-ike’
set vpn ipsec site-to-site peer PUBLIC IP R1 local-address ‘IP PUBLIC R2’
set vpn ipsec site-to-site peer PUBLIC IP R1 tunnel 0 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer PUBLIC IP R1 tunnel 0 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer PUBLIC IP R1 tunnel 0 esp-group ‘mad-esp’
set vpn ipsec site-to-site peer PUBLIC IP R1 tunnel 0 local prefix ‘172.16.2.0/24’
set vpn ipsec site-to-site peer PUBLIC IP R1 tunnel 0 remote prefix ‘192.168.1.0/24’

On the virtual routers I have SNAT enabled
that’s why I haven’t configured any nat in vyos. I always have the tunnel on down

I enable nat traversal in esp group and it doesn’t work either

fernando · February 20, 2024, 11:51am

Hi , try to use authentication id with your ip public in each side :

set vpn ipsec site-to-site peer x.x.x.x authentication id @RIGHT
set vpn ipsec site-to-site peer x.x.x.x authentication remote-id LEFT

jorch · February 20, 2024, 12:06pm

thanks for the reply. I have tried and nothing. I think I’ll add a public ip directly in the interface for simplicity

n.fort · February 20, 2024, 5:24pm

If devices are using private IP, then next command should be changed:

set vpn ipsec site-to-site peer PUBLIC IP R2 local-address ‘IP PUBLIC R1’

And use appropirate private IP of ipsec interface, which is eth0 in your case.

This, with combination of authentication ids (you can use public IPs for ids), should help.

You can also check on logs why is not working

jorch · February 21, 2024, 7:47am

Thank you
I’ll try it.
The only thing I see in the logs is the following:
The local-address x.x.x.x of peer “R2…” has not been configured in any of the ipsec-interfaces.
That’s why I think I’ll opt to put the public IP directly in the interface

jorch · February 21, 2024, 8:03am

If I do it with the public IP on the eth0 interface instead of the private 192… I have to ignore these lines, right?
configure vpn ipsec site-to-site peer PUBLIC_B tunnel 0 local prefix ‘192.168.1.0/24’
configure vpn ipsec site-to-site peer PUBLIC_B tunnel 0 remote prefix ‘172.16.2.0/24’

n.fort · February 21, 2024, 8:15am

No, you will need those lines.
Those commands means that all traffic from network 192.168.1.0/24, and destination 172.16.2.0/24, will be routed through the IPSec tunnel.

The local-address x.x.x.x of peer “R2…” has not been configured in any of the ipsec-interfaces.

In local-address you need to put the IP assign to ipsec interface.

jorch · February 21, 2024, 4:57pm

tunnel lifted once two interfaces were added
eth0 with public ip
eth1 with private ip

thanks for everything
Now I’m going to try as I mentioned at the beginning, with a private IP with a floating IP adding the id’s as they told me and the local address being the public address and not the private one.