Vpn ipsec tunnel down between 2 (vyos 1.4)

Bugs
,
1

I have created th vpn ipsec site to site tunnel but it’s showing down (both phases), below are the configuration in vyos.

vyos 1

set vpn ipsec ike-group IKE-1E lifetime 3600

set vpn ipsec ike-group IKE-1E proposal 1 dh-group 2

set vpn ipsec ike-group IKE-1E proposal 1 encryption 3des

set vpn ipsec ike-group IKE-1E proposal 1 hash sha1

set vpn ipsec esp-group ESP-1E mode tunnel

set vpn ipsec esp-group ESP-1E pfs dh-group2

set vpn ipsec esp-group ESP-1E proposal 1 encryption 3des

set vpn ipsec esp-group ESP-1E proposal 1 hash sha1

set vpn ipsec site-to-site peer vyos2-ipsec authentication mode pre-shared-secret

set vpn ipsec site-to-site peer vyos2-ipsec authentication pre-shared-secret ‘*****’

set vpn ipsec site-to-site peer vyos2-ipsec connection-type initiate

set vpn ipsec site-to-site peer vyos2-ipsec default-esp-group ESP-1E

set vpn ipsec site-to-site peer vyos2-ipsec ike-group IKE-1E

set vpn ipsec site-to-site peer vyos2-ipsec local-address x.x.x.x

set vpn ipsec site-to-site peer vyos2-ipsec remote-address x.x.x.x

set vpn ipsec site-to-site peer vyos2-ipsec tunnel 1 local prefix 0.0.0.0/0

set vpn ipsec site-to-site peer vyos2-ipsec tunnel 1 remote prefix 0.0.0.0/0

set vpn ipsec interface eth1

vyos2
set vpn ipsec ike-group IKE-1E lifetime 3600

set vpn ipsec ike-group IKE-1E proposal 1 dh-group 2

set vpn ipsec ike-group IKE-1E proposal 1 encryption 3des

set vpn ipsec ike-group IKE-1E proposal 1 hash sha1

set vpn ipsec esp-group ESP-1E mode tunnel

set vpn ipsec esp-group ESP-1E pfs dh-group2

set vpn ipsec esp-group ESP-1E proposal 1 encryption 3des

set vpn ipsec esp-group ESP-1E proposal 1 hash sha1
set vpn ipsec interface eth1

set vpn ipsec site-to-site peer vyos2-ipsec authentication mode pre-shared-secret

set vpn ipsec site-to-site peer vyos2-ipsec authentication pre-shared-secret ‘*****’

set vpn ipsec site-to-site peer vyos2-ipsec connection-type initiate

set vpn ipsec site-to-site peer vyos2-ipsec default-esp-group ESP-1E

set vpn ipsec site-to-site peer vyos2-ipsec ike-group IKE-1E

set vpn ipsec site-to-site peer vyos2-ipsec local-address x.x.x.x

set vpn ipsec site-to-site peer vyos2-ipsec remote-address x.x.x.x

set vpn ipsec site-to-site peer vyos2-ipsec tunnel 1 local prefix 0.0.0.0/0

set vpn ipsec site-to-site peer vyos2-ipsec tunnel 1 remote prefix 0.0.0.0/0

2

Hello @Jamal
It is better to use vti interfaces if you want to use 0.0.0.0/0 as CHILD SAs.
And if you want to find an issue, please use the next command.
sudo journalctl -b | grep charon

3

Yes - That would help rather than just a configuration? Which one is failing? IKE or Ipsec?

4

Thanks for your prompt response.

Yes now tunnel is UP for both ike and ipsec.