VPN IPsec with VTI

nicagn · January 9, 2024, 6:40am

Good morning,
I’m trying to configure an IPSec VPN tunnel with VTI interfaces between VyOS VyOS 1.5-rolling-202401080717 and a FortiGate.
The tunnel looks up:

vyos@vyos-1:~$ show vpn ike sa | strip-private
Peer ID / IP Local ID / IP

xxx.xxx.252.225 xxx.xxx.252.225 xxx.xxx.6.3 xxx.xxx.6.3

State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
-----  ------  -------      ----          ---------      -----  ------  ------
up     IKEv1   AES_CBC_256  HMAC_SHA1_96  MODP_2048      yes    1483    0

and

vyos@vyos-1:~$ show vpn ipsec sa | strip-private
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal

XC-DC-tunnel-0 up 4m51s 1K/0B 29/0 xxx.xxx.252.225 xxx.xxx.252.225 AES_CBC_256/HMAC_SHA1_96/MODP_2048
vyos@vyos-1:~$

but I’m unable to ping the VTI IP address on remote site.

My config is:

set interfaces vti vti0 address ‘xxx.xxx.24.6/30’
set interfaces vti vti0 ip adjust-mss ‘1394’
set interfaces vti vti0 mtu ‘1436’

set vpn ipsec authentication psk XC-DC id ‘xxx.xxx.6.3’
set vpn ipsec authentication psk XC-DC id ‘xxx.xxx.252.225’
set vpn ipsec authentication psk XC-DC secret xxxxxx
set vpn ipsec esp-group xc-dc-esp lifetime ‘1800’
set vpn ipsec esp-group xc-dc-esp mode ‘tunnel’
set vpn ipsec esp-group xc-dc-esp pfs ‘dh-group14’
set vpn ipsec esp-group xc-dc-esp proposal 1 encryption ‘aes256’
set vpn ipsec esp-group xc-dc-esp proposal 1 hash ‘sha1’
set vpn ipsec ike-group xc-dc-ike key-exchange ‘ikev1’
set vpn ipsec ike-group xc-dc-ike lifetime ‘3600’
set vpn ipsec ike-group xc-dc-ike proposal 1 dh-group ‘14’
set vpn ipsec ike-group xc-dc-ike proposal 1 encryption ‘aes256’
set vpn ipsec ike-group xc-dc-ike proposal 1 hash ‘sha1’
set vpn ipsec interface ‘eth0’
set vpn ipsec options disable-route-autoinstall
set vpn ipsec site-to-site peer XC-DC authentication local-id ‘xxx.xxx.6.3’
set vpn ipsec site-to-site peer XC-DC authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer XC-DC authentication remote-id ‘xxx.xxx.252.225’
set vpn ipsec site-to-site peer XC-DC ike-group ‘xc-dc-ike’
set vpn ipsec site-to-site peer XC-DC local-address ‘xxx.xxx.6.3’
set vpn ipsec site-to-site peer XC-DC remote-address ‘xxx.xxx.252.225’
set vpn ipsec site-to-site peer XC-DC tunnel 0 esp-group ‘xc-dc-esp’
set vpn ipsec site-to-site peer XC-DC tunnel 0 local prefix ‘xxx.xxx.0.0/0’
set vpn ipsec site-to-site peer XC-DC tunnel 0 remote prefix ‘xxx.xxx.0.0/0’

Any ideas on what’s going wrong? thank you very much!
N.

Viacheslav · January 9, 2024, 7:24am

You don’t need tunnel 0 if you use vtiX

set vpn ipsec site-to-site peer XC-DC vti bind xxx

nicagn · January 9, 2024, 7:57am

ops… sorry, I forgot to remove and replace those lines! Thank you !

system · February 8, 2024, 7:58am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.